CVE-2021-38406 - Vulnerability Details - OpenCVE

Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could result in multiple out-of-bounds write instances. An attacker could leverage this vulnerability to execute code in the context of the current process.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is in the KEV database since Aug. 25, 2022.

Exploitation active

Automatable no

Technical Impact total

Vendors	Products
Deltaww	Dopsoft

Configuration 1 [-]

cpe:2.3:a:deltaww:dopsoft:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38406

History

Wed, 22 Oct 2025 00:30:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38406

Tue, 21 Oct 2025 20:30:00 +0000

Type	Values Removed	Values Added
References	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38406

Tue, 21 Oct 2025 19:30:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38406

Tue, 10 Jun 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		kev `{'dateAdded': '2022-08-25'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2021-09-17T18:54:29.386Z

Updated: 2025-10-21T23:25:32.113Z

Reserved: 2021-08-10T00:00:00.000Z

Link: CVE-2021-38406

Vulnrichment

Updated: 2024-08-04T01:37:16.611Z

NVD

Status : Analyzed

Published: 2021-09-17T19:15:08.710

Modified: 2025-10-30T15:54:29.457

Link: CVE-2021-38406

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "DOPSoft 2", "vendor": "Delta Electronics", "versions": [{"lessThanOrEqual": "2.00.07", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "kimiya, working with Trend Micro\u2019s Zero Day Initiative"}], "datePublic": "2021-09-09T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could result in multiple out-of-bounds write instances. An attacker could leverage this vulnerability to execute code in the context of the current process."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-09-17T18:54:29.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02"}], "solutions": [{"lang": "en", "value": "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users to switch to the replacement software when available"}], "source": {"advisory": "ICSA-21-252-02", "discovery": "UNKNOWN"}, "title": "Delta Electronics DOPSoft 2 Out-of-Bounds Write", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2021-09-09T14:34:00.000Z", "ID": "CVE-2021-38406", "STATE": "PUBLIC", "TITLE": "Delta Electronics DOPSoft 2 Out-of-Bounds Write"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "DOPSoft 2", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.00.07"}]}}]}, "vendor_name": "Delta Electronics"}]}}, "credit": [{"lang": "eng", "value": "kimiya, working with Trend Micro\u2019s Zero Day Initiative"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could result in multiple out-of-bounds write instances. An attacker could leverage this vulnerability to execute code in the context of the current process."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-787 Out-of-bounds Write"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02"}]}, "solution": [{"lang": "en", "value": "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users to switch to the replacement software when available"}], "source": {"advisory": "ICSA-21-252-02", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:37:16.611Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-38406", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-04T14:44:03.809123Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2022-08-25", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38406"}}}], "references": [{"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38406", "tags": ["government-resource"]}], "timeline": [{"time": "2022-08-25T00:00:00+00:00", "lang": "en", "value": "CVE-2021-38406 added to CISA KEV"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-21T23:25:32.113Z"}}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-38406", "datePublished": "2021-09-17T18:54:29.386Z", "dateReserved": "2021-08-10T00:00:00.000Z", "dateUpdated": "2025-10-21T23:25:32.113Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:37:16.611Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-38406", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-04T14:44:03.809123Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2022-08-25", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38406"}}}], "timeline": [{"lang": "en", "time": "2022-08-25T00:00:00+00:00", "value": "CVE-2021-38406 added to CISA KEV"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-04T14:44:13.565Z"}}], "cna": {"title": "Delta Electronics DOPSoft 2 Out-of-Bounds Write", "source": {"advisory": "ICSA-21-252-02", "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "value": "kimiya, working with Trend Micro\u2019s Zero Day Initiative"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Delta Electronics", "product": "DOPSoft 2", "versions": [{"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "2.00.07"}]}], "solutions": [{"lang": "en", "value": "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users to switch to the replacement software when available"}], "datePublic": "2021-09-09T00:00:00.000Z", "references": [{"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02", "tags": ["x_refsource_MISC"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could result in multiple out-of-bounds write instances. An attacker could leverage this vulnerability to execute code in the context of the current process."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2021-09-17T18:54:29.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "kimiya, working with Trend Micro\u2019s Zero Day Initiative"}], "impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, "source": {"advisory": "ICSA-21-252-02", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.00.07", "version_affected": "<="}]}, "product_name": "DOPSoft 2"}]}, "vendor_name": "Delta Electronics"}]}}, "solution": [{"lang": "en", "value": "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users to switch to the replacement software when available"}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02", "name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could result in multiple out-of-bounds write instances. An attacker could leverage this vulnerability to execute code in the context of the current process."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-787 Out-of-bounds Write"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-38406", "STATE": "PUBLIC", "TITLE": "Delta Electronics DOPSoft 2 Out-of-Bounds Write", "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2021-09-09T14:34:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2021-38406", "state": "PUBLISHED", "dateUpdated": "2025-10-21T18:45:56.530Z", "dateReserved": "2021-08-10T00:00:00.000Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2021-09-17T18:54:29.386Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"cisaActionDue": "2022-09-15", "cisaExploitAdd": "2022-08-25", "cisaRequiredAction": "The impacted product is end-of-life and should be disconnected if still in use.", "cisaVulnerabilityName": "Delta Electronics DOPSoft 2 Improper Input Validation Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:deltaww:dopsoft:*:*:*:*:*:*:*:*", "matchCriteriaId": "B5964F12-0B63-4F7B-AF5D-AB8035660CE2", "versionEndIncluding": "2.00.07", "versionStartIncluding": "2.00", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could result in multiple out-of-bounds write instances. An attacker could leverage this vulnerability to execute code in the context of the current process."}, {"lang": "es", "value": "Delta Electronic DOPSoft 2 (versiones 2.00.07 y anteriores) no comprueban apropiadamente los datos suministrados por el usuario cuando analiza archivos de proyecto espec\u00edficos. Esto podr\u00eda resultar en m\u00faltiples instancias de escritura fuera de l\u00edmites. Un atacante podr\u00eda aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto del proceso actual"}], "id": "CVE-2021-38406", "lastModified": "2025-10-30T15:54:29.457", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-17T19:15:08.710", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["US Government Resource"], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38406"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}