Critical Security Flaws Reported in Delta Electronics DVP PLCs
Take action: Make sure all industrial devices are isolated from the internet and accessible from trusted networks only. Plan a quick update your Delta DVP-12SE11T PLCs to firmware 2.16 and use network segmentation to prevent attackers from moving between your corporate and industrial networks.
Learn More
OPSWAT Unit 515 reports several critical security holes in Delta Electronics DVP-12SE11T programmable logic controllers (PLCs).
These devices manage industrial automation and process control in factories and utilities. If attackers exploit these flaws, they can take over industrial processes or shut down operations.
Vulnerabilities summary:
- CVE-2025-15103 (CVSS score 9.8) - Authentication bypass through partial password disclosure.
- CVE-2025-15102 (CVSS score 9.1) - Insufficient authentication enforcement allowing remote bypass.
- CVE-2025-15359 (CVSS score 9.1) - Out-of-bounds memory write due to poor bounds checking which lets attackers corrupt the device's memory.
- CVE-2025-15358 (CVSS score 7.1) - Memory handling flaw causing the device to become unresponsive, creating a denial-of-service state.
Delta Electronics worked with researchers to fix these issues in late 2025.
Delta Electronics released firmware version 2.16 to fix these vulnerabilities. Organizations should update their devices as soon as possible, and keep PLCs isolated from the public internet and use firewalls to isolate them from business networks. Use a VPN for any remote access.
