Critical Bugs Spotted in Delta Industrial PLCs

Critical Vulnerabilities in Delta Electronics PLCs

Researchers discovered four vulnerabilities in the DVP-12SE11T PLC, a popular controller in Asian industrial sectors like water treatment and food processing. Three of these vulnerabilities received a critical CVSS score above 9.0, highlighting significant risk.

While Delta released a firmware fix in early January 2026, the nature of PLCs – often running 24/7 and deeply embedded in OT networks – means patching may be delayed or impossible for many organizations. This discrepancy between ideal security practices and operational realities creates a substantial window of vulnerability, potentially leading to physical damage, injury, or even death due to compromised control systems.

Key Insights

• CVSS Scores: The identified vulnerabilities range from 7.1 to 9.8 on the Common Vulnerability Scoring System (CVSS) in 2025.
• OT Network Segmentation: The principle of “defense in depth” suggests PLCs should be isolated, but unencrypted and unauthenticated communications can bypass these defenses.
• APT Threat Actors: China-based threat actors like Volt Typhoon, UNC3886, and APT41 are considered likely candidates for targeting OT systems, given their regional interests and tactics.

Practical Applications

• Use Case: Water treatment facilities using Delta PLCs could experience disruption of service or contamination if compromised.
• Pitfall: Delaying patching due to operational constraints leaves systems vulnerable to exploitation, even with available fixes.

References:

• https://www.darkreading.com/ics-ot-security/critical-bugs-delta-industrial-plcs