Trio of Critical Bugs Spotted in Delta Industrial PLCs

Programmable logic controllers (PLCs) are the nervous system of modern factories, translating digital commands into physical motion. Delta Electronics’ DVP‑12SE11T has become a staple in Asian water‑treatment and food‑processing plants due to its low cost and ease of integration. The recent discovery by OPSWAT’s Unit 515 of four vulnerabilities—three rated critical—highlights a growing blind spot: even budget‑oriented PLCs can harbor deep, exploitable flaws that bypass authentication and manipulate memory, undermining the very safety mechanisms operators rely on.

From a technical perspective, CVE‑2025‑15102 and CVE‑2025‑15103 strip away authentication checks, allowing attackers to impersonate legitimate users and harvest password data. CVE‑2025‑15358 can freeze the controller, forcing costly manual recovery, while CVE‑2025‑15359’s out‑of‑bounds write threatens process integrity, potentially causing equipment to run at unsafe speeds or temperatures. Such capabilities are especially attractive to nation‑state actors; analysts note China’s APT groups, including Volt Typhoon and APT41, have a history of targeting OT assets in the Taiwan‑centric supply chain, leveraging these weaknesses to gain strategic leverage in the region.

Mitigation hinges on rapid firmware deployment, yet OT environments often prioritize uptime over security, delaying patches for weeks or months. Organizations should adopt a layered defense: network segmentation, strict access controls, and continuous monitoring of PLC traffic to detect anomalous commands. Additionally, employing intrusion‑detection systems tailored for industrial protocols can flag exploitation attempts before they cause physical harm. As the industrial sector increasingly converges with IT, the Delta PLC case serves as a cautionary tale that even seemingly modest devices demand rigorous security governance to safeguard critical infrastructure.