External risk intelligence

Delta AS320T controls can be fully compromised by attackers

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-1951

The Delta Electronics AS320T has a security flaw that allows an internal attacker to disrupt system operations or take control of the device by sending invalid requests. This could lead to a loss of control over critical industrial processes and halt production workflows.

2Halo Surface Signal

Deltaww As320t Firmware

before 1.12

External exposure likelihood

Halo Surface Signal score for CVE-2026-1951

This device is an industrial control component typically deployed within isolated Operational Technology networks. It is designed for internal process control and is not intended for public internet exposure. Access to the device is generally restricted to internal management stations, placing it behind layers of network security controls.

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability in Delta Electronics AS320T allows an attacker to potentially take complete control of the device. The issue stems from a failure to properly check the length of directory names, which could enable malicious code execution.

Compromise of critical industrial systems.
Unauthorized access to sensitive operational data.
Disruption of industrial processes.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could exploit this flaw by sending a specially crafted request to the vulnerable Delta AS320T device. This request, targeting the directory name handling, could overwrite critical memory regions, leading to code execution. The attacker would then have the same privileges as the running application.

No authentication required.
Network-accessible vulnerability.
Successful exploitation leads to code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Delta AS320T devices, a buffer overflow due to a lack of directory name length checking, has a critical CVSS score and could allow for significant compromise. While its industrial control nature typically limits direct internet exposure, attackers might target it if they gain access to the internal network or if the device is inadvertently exposed.

Not listed as KEV.
No public exploit observed.
Published recently, but no exploitation signals.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize isolating affected AS320T devices if they are accessible from the internet or untrusted networks due to the critical nature of this unauthenticated remote code execution vulnerability. If isolation is not immediately feasible, implement strict network segmentation to prevent lateral movement and monitor for anomalous traffic patterns targeting these devices.

Block network access to AS320T.
Monitor for suspicious network activity.
Update firmware to version 1.12 or later.

Frequently asked questions

What is the Delta Electronics AS320T and what is it used for?

The Delta Electronics AS320T is a component used in industrial control systems. These systems are vital for managing and automating industrial processes, often found in manufacturing or operational technology environments. Its primary function is to facilitate the control and monitoring of these processes.

What kind of vulnerability does CVE-2026-1951 represent?

CVE-2026-1951 is a buffer overflow vulnerability. This weakness occurs when a program attempts to store data in a buffer but the data is too large, causing it to spill over into adjacent memory. In this case, the AS320T fails to properly check the length of directory names, creating an opening for this type of overflow.

How could an attacker exploit the CVE-2026-1951 vulnerability?

An attacker could exploit this vulnerability by sending a specially crafted request to the AS320T device. This request would target how the device handles directory names. If the device doesn't correctly check the size of the provided directory name, it could lead to a buffer overflow, potentially allowing the attacker to execute code.

Who is most at risk from this CVE-2026-1951 threat?

Organizations using Delta AS320T devices are at risk, particularly if these devices are accessible from external networks or the internet. While typically internal to industrial networks, any exposure increases the threat surface. The Halo Surface Signal indicates this is an external-facing threat if not properly secured within an internal network.

What is the first step to address CVE-2026-1951 on Delta AS320T?

The immediate first step is to isolate any AS320T devices that are accessible from the internet or untrusted networks. If complete isolation isn't possible, focus on strict network segmentation to limit potential attacker movement and closely monitor network traffic for any unusual activity directed at these devices.

References

filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00006_AS320T%20Mult…

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.