Description
Delta Electronics DVP12SE PLC exposes a Modbus TCP service over a specified port without authentication or access control, permitting unauthenticated interaction with security-sensitive PLC functions.
Published: 2026-06-30
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The DVP-12SE programmable logic controller runs a Modbus TCP service that is exposed on a specified port but offers no authentication or access control. This flaw allows any network participant to connect and issue Modbus commands that interact with security-sensitive PLC functions, enabling unauthorized writes to the controller’s logic, parameters, or operational state. Such unauthorized modifications can compromise the integrity of industrial processes and potentially cause safety or availability incidents.

Affected Systems

Delta Electronics PLCs model DVP-12SE are affected; the specific firmware or software version is not listed in the CVE data, but the vulnerability applies to all deployments of the DVP-12SE platform that expose the Modbus TCP service.

Risk and Exploitability

The vulnerability has a CVSS score of 9.3, indicating a high severity and a likely possibility of remote exploitation. EPSS data is not available, and the vulnerability is not currently listed in CISA’s KEV catalog. The attack vector is inferred to be network-based, where an unauthenticated attacker initiates Modbus TCP communication to the PLC and performs unauthorized writes. The weakness is classified as CWE‑306, reflecting missing authentication.

Generated by OpenCVE AI on June 30, 2026 at 08:21 UTC.

Remediation

Vendor Workaround

Users are recommended to take the following mitigation measures: * Enable the IP Filter feature: Configure and enable the PLC's built-in IP Filter function via the programming software. Restrict access exclusively to the IP addresses of trusted devices (such as designated HMI panels or SCADA hosts) to block unauthorized network access. * Set up PLC password protection: Enable password protection for the PLC within the programming software to ensure the device's core control logic and parameters cannot be easily downloaded, overwritten, or tampered with. * Implement network isolation and firewall protection: Deploy the PLC within an independent local area network (OT control network) secured by a firewall. Never connect the device directly to the office network or the Internet. If remote access is required, enforce the use of a secure, authorized VPN tunnel.

OpenCVE Recommended Actions

  • Apply any vendor-released patch or firmware update for the Delta DVP‑12SE PLC when available.
  • Configure and enable the PLC’s built‑in IP Filter feature via the programming software, restricting Modbus TCP access only to trusted IP addresses such as designated HMI panels or SCADA hosts.
  • Enable password protection for the PLC within the programming software to secure the controller’s core logic and parameters from being downloaded or overwritten.
  • Deploy the PLC on an isolated OT local area network protected by a firewall, and ensure it is not directly connected to the office network or the Internet; use a secure VPN tunnel if remote access is required.

Generated by OpenCVE AI on June 30, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 07:15:00 +0000

Type Values Removed Values Added
Description Delta Electronics DVP12SE PLC exposes a Modbus TCP service over a specified port without authentication or access control, permitting unauthenticated interaction with security-sensitive PLC functions.
Title DVP-12SE Missing Authentication and Unauthorized Write access Vulnerability
First Time appeared Deltaww
Deltaww dvp-12se
Weaknesses CWE-306
CPEs cpe:2.3:a:deltaww:dvp-12se:*:*:*:*:*:*:*:*
Vendors & Products Deltaww
Deltaww dvp-12se
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Deltaww Dvp-12se
cve-icon MITRE

Status: PUBLISHED

Assigner: Deltaww

Published:

Updated: 2026-06-30T12:50:59.070Z

Reserved: 2026-06-21T10:18:28.804Z

Link: CVE-2026-12819

cve-icon Vulnrichment

Updated: 2026-06-30T12:50:55.607Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T12:15:04Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function