Researchers have identified one high‑ and three critical‑severity vulnerabilities in a brand of programmable logic controller (PLC) popular at industrial sites in Asia.

The DVP‑12SE11T, by Taiwan's Delta Electronics, is a cut‑rate PLC popular in a variety of sensitive sectors in Asia, such as water treatment and food and beverage processing. In August 2025, researchers from OPSWAT's Unit 515 cracked into it and discovered four serious vulnerabilities, three of which ranked above 9 out of 10 in the Common Vulnerability Scoring System (CVSS).

Just before the 2026 New Year, Delta Electronics pushed a firmware fix for all four vulnerabilities to its customers. Because PLCs are by their nature buried deep inside operational networks—some of which are designed to run 24/7—not all organizations will be willing or able to patch the issues any time soon.

Dark Reading has reached out to Delta Electronics for comment on this story.

Critical Vulnerabilities in Delta Electronics PLCs

There are four newly spotted vulnerabilities in the DVP‑12SE11T:

• CVE‑2025‑15102 (CVSS 9.1, critical): A lack of authentication enforcement in a security‑critical code path, allowing arbitrary attackers to bypass authentication by sending specially crafted packets under certain conditions.

• CVE‑2025‑15103 (CVSS 9.8, critical): A weakness in the device's authentication handling logic could empower attackers to leak some information pertaining to user passwords.

• CVE‑2025‑15358 (CVSS 7.1, high): Insufficient validation in memory‑handling functionality allows unauthenticated attackers to freeze the device until defenders take certain recovery actions.

• CVE‑2025‑15359 (CVSS 9.1, critical): An out‑of‑bounds write vulnerability could impact integrity and cause unexpected device behaviors.

Loc Nguyen, Unit 515 penetration‑test team lead of OPSWAT, emphasizes that vulnerabilities in PLCs carry horrific potential consequences.

“Because these types of controllers are commonly used in simple operations, packaging lines, and high‑speed motion control such as robotic integration and servos, a hack can directly affect physical processes. An attacker who gains control of the device can trigger unsafe conditions that may even result in severe injury or death,” he says.

Cybercriminals off the street might not be able to perform attacks that reach deep enough into OT networks to touch PLCs. Plenty of state‑level attackers can, though, and more than any other state, China is the biggest player in this space, especially given its strategic interests in Taiwan and the broader APAC region, says Michael Arcamone, chief security and strategy officer of OPSWAT.

“Delta's headquarters in Taipei and the likelihood that PLC manufacturing occurs in‑country further elevate the risk profile. Groups such as Volt Typhoon, UNC3886, and APT41 are likely candidates for OT‑related targeting and scanning, due to their proclivity for living‑off‑the‑land tactics.”

Do PLC Vulnerabilities Even Matter?

Considering how close they are and how much control they wield over critical—and even safety‑critical—industrial processes, one might imagine that PLCs are first on any OT practitioner’s list of machines to secure. Nguyen recommends that vendors apply Delta’s patch “as soon as reasonably possible” — “possible” varying widely depending on the nature of the industrial site in question.

Within OT security circles, however, the debate is less often about PLC vulnerabilities than whether their vulnerabilities are really all that important to begin with.

“On the one hand, PLCs directly control the physical process and so the consequences of sabotage can be severe,” says Andrew Ginter, vice president of industrial security at Waterfall Security Solutions. “On the other hand, they are supposed to be deep within defensive architecture, making them hard to reach, and not by accident.”

Cybersecurity practitioners often refer to defense in depth, but PLCs are quite literally defended — to some non‑trivial degree — by their depth.

“PLCs are often safety‑critical and reliability‑critical, so the need and cost of testing are both very high,” Ginter points out. “For this reason, security updates are often not applied promptly, if at all. Worse, a lot of PLC communications are unencrypted and unauthenticated. So you don’t actually need to exploit a vulnerability to mis‑operate them — you can just connect to them across the network, and tell them to do the wrong thing.”

“There's lots of debate about this,” he says. “It's heated.”

---

About the Author

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote Malicious Life, an award‑winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co‑hosts The Industrial Security Podcast.