Delta Electronics CNCSoft-G2 Flaw CVE-2026-3094 Allows Remote Code Execution via Malicious DPAX Files
A critical out-of-bounds write vulnerability in Delta Electronics CNCSoft-G2's DOPSoft module allows remote attackers to execute arbitrary code by tricking users into opening a malicious DPAX file.
A critical vulnerability has been disclosed in Delta Electronics CNCSoft-G2, a software suite used for programming and managing CNC (Computer Numerical Control) machines. Tracked as CVE-2026-3094 and assigned a CVSS score of 7.8, the flaw resides in the DOPSoft module's parsing of DPAX files. An out-of-bounds write condition allows remote attackers to execute arbitrary code in the context of the current process, provided the target user is tricked into opening a malicious file or visiting a malicious page.
The specific weakness lies in the lack of proper validation of user-supplied data within the DPAX file parser. This oversight can result in a write operation that extends beyond the bounds of an allocated data structure, corrupting adjacent memory. An attacker can leverage this memory corruption to inject and execute arbitrary code, potentially gaining full control over the affected system. The vulnerability was responsibly disclosed to Delta Electronics by researcher Natnael Samson (@NattiSamson) on December 11, 2025.
CNCSoft-G2 is widely deployed in industrial environments for designing, simulating, and managing CNC machining operations. The DOPSoft module is specifically used for creating and editing human-machine interface (HMI) screens, making DPAX files a common exchange format in manufacturing settings. Because the attack vector requires user interaction—such as opening a malicious email attachment or visiting a compromised website—the vulnerability is particularly dangerous in environments where operators routinely share project files.
Delta Electronics has released an update to address CVE-2026-3094. The advisory from the Cybersecurity and Infrastructure Security Agency (CISA), referenced as ICSA-26-064-01, provides details on the affected versions and the recommended mitigation steps. Users and administrators of CNCSoft-G2 are strongly urged to apply the patch immediately to prevent potential exploitation. The coordinated public release of the advisory occurred on March 6, 2026, marking the end of the disclosure timeline.
This vulnerability is part of a broader trend of critical flaws being discovered in industrial control system (ICS) software. As manufacturing environments become increasingly connected, the attack surface for adversaries targeting operational technology (OT) networks expands. Out-of-bounds write vulnerabilities in file parsers are a recurring theme in ICS security advisories, as they often require minimal user interaction to achieve code execution.
Organizations using Delta Electronics CNCSoft-G2 should prioritize patching, especially if the software is used in environments where users may open files from untrusted sources. In addition to applying the vendor-supplied update, security teams should implement network segmentation to limit the exposure of CNC systems, enforce strict file access controls, and educate operators about the risks of opening unsolicited files. The CISA advisory provides further guidance on recommended security practices for ICS environments.
The discovery and coordinated disclosure of CVE-2026-3094 highlight the importance of collaboration between security researchers, vendors, and government agencies like CISA. By following responsible disclosure practices, researchers like Natnael Samson help ensure that patches are available before adversaries can weaponize the flaw. As the March 6, 2026 advisory release date shows, the timeline from initial report to public disclosure was approximately three months, a reasonable period for patch development and testing.