// 6 ZERO-DAY · 8 CVE · 4 EXPLOIT IN THE LAST 24H
The ZDI-26-404 flaw in Delta Electronics DTM Soft industrial engineering software enables remote code execution via deserialization of malicious BIN project files. CVSS 4.0 score is 8.4 (HIGH).

Delta Electronics has released a patch for DTM Soft, engineering software for industrial automation devices, following the coordinated disclosure on July 15, 2026 of vulnerability ZDI-26-404 (CVE-2026-12578). The flaw allows arbitrary code execution in the context of the application process through unvalidated deserialization of BIN project files. User interaction is a necessary condition: opening a malicious file or visiting a web page that triggers its download activates the exploitation chain.

Key Takeaways
  • The CVE-2026-12578 vulnerability in Delta Electronics DTM Soft BIN file parsing allows remote code execution with a CVSS 4.0 score of 8.4 (HIGH).
  • The flaw is classified as CWE-502 (Deserialization of Untrusted Data) and requires user interaction: opening a file or visiting a malicious page.
  • The vulnerability was reported to the vendor on January 22, 2026; the coordinated advisory release occurred on July 15, 2026, a window of approximately 176 days.
  • CISA confirms no specific public exploitation is known at this time and classifies the affected sector as Critical Manufacturing.

The Mechanics of Weaponized Deserialization in Project Files

The specific flaw resides in the parsing of BIN files, the standard project format for DTM Soft. The defect stems from a lack of adequate validation of user-supplied data, which allows deserialization of untrusted data. An attacker can exploit this condition to execute code in the context of the current application process.

The attack vector is inherently tied to the workflow of automation engineers: BIN files are project documents that circulate daily via email, cloud storage services, or removable media. The seemingly innocuous nature of these files makes them ideal vehicles for targeted social engineering campaigns against OT operators who do not apply the same protections reserved for executables or Office macros.

"This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DTM Soft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file." — Advisory ZDI-26-404

From Vendor Report to Disclosure: The 176-Day Timeline

The vulnerability was reported to Delta Electronics on January 22, 2026 by kimiya, a researcher with Trend Micro Zero Day Initiative. The coordination period between the vendor and the bug bounty program lasted approximately 176 days, with public release set for July 15, 2026. Delta Electronics has issued a patch, although the dossier does not specify the exact patch release date nor the affected versions with numerical precision.

CISA replicated the advisory with identifier ICSA-26-176-06, adding critical infrastructure context. The U.S. agency assigns the vulnerability a CVSS 3.1 score of 7.8 (HIGH) and a CVSS 4.0 score of 8.4 (HIGH), both converging on high severity albeit with different scoring metrics. The difference between the two scores does not indicate a conflict between sources: it reflects the evolution of the CVSS standard, where version 4.0 redefines the granularity of attack vectors.

Why Industrial Project Files Are a Recurring Attack Vector

The weaponization of project files is not an anomaly in the OT sector. This episode fits a consolidated pattern: altered CAD documents, PLC projects with malicious ladder logic, modified HMI configurations have already served as vectors in targeted campaigns against manufacturing environments. The common characteristic is the abuse of the implicit trust that technical operators place in the native formats of engineering platforms.

DTM Soft represents a specific link in the chain: it enables configuration of Delta Electronics devices in industrial control environments. Its coexistence with OT control systems exposes the risk of lateral movement should the engineering workstation be compromised. CISA explicitly classifies the sector as Critical Manufacturing, indicating the strategic relevance of the asset.

The CISA recommendation for network isolation and VPN use for remote access carries particular weight in this scenario: the absence of known public exploitation does not eliminate risk, but shifts the time window toward structural prevention rather than incident response.

Immediate Actions

  • Apply the patch released by Delta Electronics for DTM Soft, verifying availability in the vendor's download section.
  • Isolate OT engineering workstations from the general corporate network and the internet, limiting remote access exclusively to controlled VPN connections.
  • Verify the origin of BIN project files before opening them, avoiding downloads from unverified web pages and re-enabling suspicious email attachments.
  • Monitor for anomalous DTM Soft processes on engineering stations, flagging executions with unexpected command-line arguments or file loads from unusual paths.

What the Dossier Does Not Clarify

The exact versions of DTM Soft affected do not emerge from primary sources, nor is the actual patch release date documented. The BIN format and the deserialization gadget chain employed are not technically detailed, preventing the construction of specific detection signatures. The size of the attack surface — the number of active DTM Soft installations in production environments — is not estimated by sources. Finally, the dossier does not document whether the fix is retroactive for previous releases or tied to a major version upgrade, a critical element for maintenance planning in OT systems with long validation cycles.

The lack of known public exploitation, confirmed by CISA, frames a potential rather than active risk scenario. The prevention window remains open, but the simplicity of the vector — a project file opened in good faith — demands that attention shift from the technical complexity of the attack to the discipline of document workflow in environments that still privilege functionality over integrity verification.

Sources

Information verified against cited sources and current as of publication.

Sources


Sources and references
  1. zerodayinitiative.com
  2. cve.org
  3. cisa.gov