CVE-2021-38406

Summary

CVE	CVE-2021-38406
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-09-17 19:15:00 UTC
Updated	2021-10-04 18:13:00 UTC
Description	Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could result in multiple out-of-bounds write instances. An attacker could leverage this vulnerability to execute code in the context of the current process.

Risk And Classification

EPSS: 0.675000000 probability, percentile 0.985650000 (date 2026-04-04)

CISA KEV: Listed on 2022-08-25; due 2022-09-15; ransomware use Unknown

Problem Types: CWE-787

CISA Known Exploited Vulnerability

Vendor	Delta Electronics
Product	DOPSoft 2
Name	Delta Electronics DOPSoft 2 Improper Input Validation Vulnerability
Required Action	The impacted product is end-of-life and should be disconnected if still in use.
Notes	https://www.cisa.gov/uscert/ics/advisories/icsa-21-252-02; https://nvd.nist.gov/vuln/detail/CVE-2021-38406

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Deltaww	Dopsoft	All	All	All	All

References

Reference	Source	Link	Tags
Delta Electronics DOPSoft 2 \| CISA	MISC	us-cert.cisa.gov
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis
CISA Known Exploited Vulnerabilities catalog	CISA	www.cisa.gov	kev

Vendor Comments And Credit

Discovery Credit

LEGACY: kimiya, working with Trend Micro’s Zero Day Initiative

Legacy QID Mappings

590799 Delta Electronics DOPSoft 2 Multiple Vulnerabilities (ICSA-21-252-02)