CISA flags unpatched Delta DTM Soft code-execution flaw

CISA’s advisory is a practitioner problem, not a dashboard problem. Delta Electronics DTM Soft is affected across all versions, and CVE-2026-12578 sits in the familiar ugly class of ICS workstation bugs: deserialization of untrusted data, user-assisted exploitation, code execution if the wrong project file is opened. CISA reports no known public exploitation and says the vulnerability is not remotely exploitable, but that is not the same thing as low operational risk. In plants, engineering files move through email, network shares and USB media precisely because the work often has to happen around brittle production constraints.

Delta has not released a patch. CISA says Delta is aware of the vulnerability and working on a fix, while recommending that users avoid unsolicited project files, untrusted links and unexpected attachments from email, network shares or USB drives. Delta also tells users not to launch the software with “Run as Administrator,” because standard-user privileges limit the damage if malicious code runs.

For critical manufacturing operators and defense-industrial-base suppliers, the Monday work is boring and necessary: identify where DTM Soft is installed, restrict who can open project files, remove local administrator use where operations allow it, and make the file-transfer path auditable. Assessors should not treat this as a theoretical CVE entry. Until Delta publishes a fixed version, the compensating controls are the control.