CVE-2025-22880

High

Published: 07 February 2025

Published

07 February 2025

Modified

11 July 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0008 22.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process.

Security Summary

CVE-2025-22880, published on 2025-02-07, is a heap-based buffer overflow vulnerability in Delta Electronics' CNCSoft-G2 software. The flaw stems from a lack of proper validation of the length of user-supplied data prior to copying it into a fixed-length heap-based buffer, as classified under CWE-122. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A local attacker can exploit this vulnerability with low complexity and no privileges required by tricking a user into visiting a malicious web page or opening a malicious file. Successful exploitation enables arbitrary code execution in the context of the current process, resulting in high impacts to confidentiality, integrity, and availability.

Delta Electronics has published security advisory PCSA-2025-00002, available at https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00002_CNCSoft-G2%20-%20Heap-based%20Buffer%20Overflow_v1.pdf, which addresses the vulnerability.

Details

CWE(s): CWE-122

Affected Products

deltaww

cncsoft-g2

≤ 2.1.0.20

References

https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00002_CNCSoft-G2%20-%20Heap-based%20Buffer%20Overflow_v1.pdf
Vendor Advisory · 759f5e80-c8e1-4224-bead-956d7b33c98b