What is Delta Electronics DOPSoft 2?
Delta Electronics DOPSoft 2 is a human-machine interface (HMI) design and configuration software used in industrial control systems (ICS) environments. Engineers use DOPSoft 2 to create graphical operator interface screens for Delta Electronics' DOP series HMI hardware — touch panels and displays used on industrial machinery, manufacturing lines, and process control systems. HMI configuration files (project files) describe the operator interface layout, control logic, and connections to PLCs (programmable logic controllers). As EOL software used in operational technology (OT) environments, DOPSoft 2 vulnerabilities are of particular concern because ICS engineering workstations often have elevated access to production control networks.
Overview
CVE-2021-38406 is an out-of-bounds write vulnerability (CWE-787) in Delta Electronics DOPSoft 2 caused by improper validation of user-supplied data when parsing HMI project files. When DOPSoft 2 opens a specially crafted project file, insufficient input validation allows an attacker-controlled value to cause a write operation beyond the bounds of an allocated buffer — resulting in heap or stack corruption that can be exploited for arbitrary code execution. Delta Electronics has classified DOPSoft 2 as end-of-life and will not issue a patch; CISA's required action is to disconnect and cease use of the product. CISA added this to KEV in August 2022, published in ICS Advisory ICSA-21-252-02.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Delta Electronics DOPSoft 2 (all versions) | Yes | No patch — EOL product; disconnect and remove |
Technical Details
- Root cause: Out-of-bounds write (CWE-787) — DOPSoft 2 parses project file formats without performing adequate bounds checking on size or offset fields in the file structure, allowing attacker-controlled values to trigger writes beyond allocated buffer boundaries
- Attack vector: Local (AV:L) with no privileges required and user interaction required (PR:N/UI:R) — the victim must open a malicious project file (e.g., delivered via spear-phishing email, shared drive, or social engineering to ICS engineers)
- ICS targeting: HMI project files are routinely shared between engineers and suppliers; a malicious project file disguised as a legitimate customer configuration or template is a plausible delivery mechanism in OT environments
- Code execution context: Exploitation achieves code execution on the engineering workstation running DOPSoft 2, potentially with the privileges of the logged-in engineer — who typically has access to OT networks, PLCs, and SCADA systems
- No patch available: Delta Electronics will not patch EOL software — the product must be removed from use
- OT network risk: Compromised ICS engineering workstations can be used to modify PLC logic, disrupt industrial processes, or provide a pivot point for lateral movement into OT networks
Discovery
Reported to CISA and coordinated through ICS-CERT (now ICS advisory process). CISA published ICSA-21-252-02 on September 9, 2021, disclosing multiple vulnerabilities in DOPSoft 2, including CVE-2021-38406.
Exploitation Context
ICS HMI software vulnerabilities are targeted by nation-state industrial espionage actors and sabotage-focused threat groups. Engineering workstations running HMI design software like DOPSoft 2 are typically less well-protected than IT systems, often running older operating systems, and have privileged access to OT production networks. The CISA KEV addition in August 2022 confirms that threat actors are actively targeting organizations running this EOL software, likely for initial access into ICS environments.
Remediation
- Disconnect and remove DOPSoft 2 immediately — the product is EOL with no patch forthcoming; CISA's required action is to discontinue use
- Migrate HMI design work to Delta Electronics DOPSoft (the successor product) or an alternative HMI design tool that receives security updates
- Apply network segmentation: OT engineering workstations should not have unrestricted internet or corporate network access — use data diodes or unidirectional security gateways for any necessary communication
- Do not open project files from untrusted sources on workstations with OT network access; validate the source and integrity of any HMI project files before opening
- If removal is temporarily delayed, air-gap the workstation and scan all project files in a sandboxed environment before opening on the production engineering station
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-38406 |
| Vendor / Product | Delta Electronics — DOPSoft 2 |
| NVD Published | 2021-09-17 |
| NVD Last Modified | 2025-10-30 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-787 find similar ↗ |
| CISA KEV Added | 2022-08-25 |
| CISA KEV Deadline | 2022-09-15 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-09-09 | CISA publishes ICS Advisory ICSA-21-252-02 for Delta Electronics DOPSoft 2 vulnerabilities |
| 2021-09-17 | CVE-2021-38406 published |
| 2022-08-25 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-09-15 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| CISA ICS Advisory ICSA-21-252-02 — Delta Electronics DOPSoft 2 | Vendor Advisory |
| NVD — CVE-2021-38406 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |