External risk intelligence

Delta AS320T systems can be taken over remotely due to web service flaws.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-1949

Critical flaws in Delta AS320T web services allow attackers to take over devices over the network, impacting industrial control systems.

2Halo Surface Signal

Deltaww As320t Firmware

before 1.16

External exposure likelihood

Halo Surface Signal score for CVE-2026-1949

The vulnerable web interface is hosted on an industrial automation controller. While it is network-reachable within a local network, such devices are typically deployed behind internal network controls and are not intended to be exposed to the public internet in standard configurations.

Horizon Alert

Summary of the vulnerability and why it matters

A buffer size calculation error in the web service of the Delta Electronics AS320T can be exploited remotely. This issue allows for the potential compromise of the device's integrity and availability.

Can impact industrial control systems.
Requires no user interaction.
Network-accessible vulnerability.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this by sending specially crafted GET or PUT requests to the AS320T's web service. This could lead to a stack buffer overflow, potentially allowing for arbitrary code execution or denial of service on the device.

Network access required.
Vulnerable web service handler.
Unauthenticated requests are sufficient.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability exists in an industrial automation controller's web service, which is usually isolated within a local network. Attackers are less likely to target this specific vulnerability unless they have already compromised the internal network.

Exploitation requires network access.
No public exploit details observed.
Recency signal is weak.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Given the critical severity and network accessibility of this vulnerability, prioritize isolating affected Delta Electronics AS320T devices immediately if they are exposed. Investigate logs for any signs of unauthorized access or exploitation attempts related to the web service's GET/PUT request handler.

Isolate affected AS320T devices.
Monitor network traffic for suspicious requests.
Apply firmware update 1.16 or later when available.

Frequently asked questions

What is the Delta Electronics AS320T and its function?

The Delta Electronics AS320T is an industrial automation controller designed to manage and control industrial processes and machinery within manufacturing and operational settings. It plays a crucial role in overseeing automated industrial activities.

What is CVE-2026-1949 and how does it impact the AS320T?

CVE-2026-1949 is a stack buffer overflow vulnerability. It arises from an error in calculating buffer size within the AS320T's web service, potentially allowing an attacker to affect the device's operation.

How can an attacker exploit the AS320T vulnerability?

What is the relevance of CVE-2026-1949 according to Halo Surface Signal?

Halo classifies this CVE as unlikely to be exploited due to its placement on an industrial automation controller typically behind internal network controls, rather than being exposed to the public internet.

What actions should be taken to address the AS320T vulnerability?

Prioritize isolating affected Delta Electronics AS320T devices if exposed, and investigate logs for suspicious activity related to the web service. Monitoring network traffic for unusual requests is also advised, and applying firmware updates is a necessary remediation step.

References

filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00006_AS320T%20Mult…

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.