Delta Electronics COMMGR2 Flaws Score CVSS 9.8

Delta Electronics released patches for two critical vulnerabilities affecting COMMGR2, its communication management software widely deployed in industrial automation environments. Both flaws allow unauthenticated remote attackers to execute arbitrary code on affected systems—a worst-case scenario for operational technology networks.

CVE-2026-3630 is a stack-based buffer overflow carrying a CVSS score of 9.8. The companion vulnerability, CVE-2026-3631, is an out-of-bounds read that scores 7.5 and enables denial-of-service attacks. Both affect COMMGR2 versions 2.11.0 and earlier on Windows platforms.

What Makes These Vulnerabilities Dangerous

The attack parameters are about as bad as they get. Network-accessible, no authentication required, no user interaction needed. An attacker with network access to COMMGR2 can trigger the buffer overflow remotely, potentially gaining full control over the host system. In ICS environments, that often means access to PLCs, HMIs, and other process control equipment.

COMMGR2 serves as a communication gateway in Delta's industrial automation ecosystem. It handles protocol conversion and data exchange between various devices—exactly the kind of chokepoint attackers target when trying to pivot through OT networks.

The stack-based buffer overflow (CWE-121) occurs due to improper bounds checking on input data. Successful exploitation gives attackers the ability to overwrite return addresses and hijack program execution. The out-of-bounds read vulnerability, while less severe, can crash the service and disrupt industrial operations.

Affected Versions and Remediation

All COMMGR2 installations running versions 0 through 2.11.0 are vulnerable. Delta Electronics published advisory Delta-PCSA-2026-00005 with remediation guidance.

Immediate actions:

1. Upgrade COMMGR2 to version 2.11.1 or later
2. Restrict network access to COMMGR2 systems using firewall rules
3. Monitor for unusual connection attempts to COMMGR2 services
4. Segment OT networks from corporate IT infrastructure

If patching isn't immediately possible, isolate affected systems behind additional network controls. These vulnerabilities have already been sighted in the wild—two separate observations according to threat tracking databases.

ICS Vulnerabilities Continue to Surge

This disclosure follows a pattern of critical ICS vulnerabilities hitting the industry in recent weeks. CISA recently added Hikvision and Rockwell vulnerabilities to its Known Exploited Vulnerabilities catalog, underscoring the sustained targeting of industrial systems. The MongoDB memory vulnerability we covered earlier demonstrates that both IT and OT platforms remain under heavy scrutiny from vulnerability researchers and attackers alike.

Delta Electronics has historically been responsive to security reports, but ICS vendors across the board struggle with the long patch cycles inherent to operational technology. Many facilities run equipment that can't be taken offline for updates without significant production impact.

Why This Matters

Buffer overflows in industrial software carry consequences beyond typical IT breaches. Compromising a communication gateway can give attackers visibility into process data, the ability to manipulate control signals, or simply the power to halt operations. For manufacturing facilities, energy infrastructure, or water treatment plants running Delta equipment, these patches should be treated as emergency priorities.

The unchanged severity metrics between the two CVEs—both rated critical or high—suggest the underlying code paths share similar weaknesses. Organizations should audit their Delta Electronics deployments comprehensively, not just systems running COMMGR2. Where there's one buffer overflow, there are often more.