CRITICAL🇵🇱 Wersja polska

CVE-2025-3495

CVSS 9.8v3.1pub. 2025-04-16upd. 2026-04-15

Delta Electronics COMMGR v1 and v2 uses insufficiently randomized values to generate session IDs (CWE-338). An attacker could easily brute force a session ID and load and execute arbitrary code.

🤖 AI Analysis
How it works

The COMMGR software uses a session ID generation algorithm based on values with insufficient entropy (CWE-338). An attacker remotely, without authentication and without user interaction, can conduct a brute force attack on the space of possible session identifiers and hit an active session. After session hijacking, it is possible to load and execute arbitrary code on the target system.

Impact

The attacker gains full control over the system — can execute arbitrary code (RCE), leading to breach of confidentiality, integrity, and availability of resources. The vulnerability is particularly dangerous in industrial environments (ICS/OT), where COMMGR is used to manage automation devices.

Mitigation & patch

Patches available from the manufacturer should be applied in accordance with references — details are contained in the Delta Electronics bulletin PCSA-2025-00005 and the ICS-CERT advisory ICSA-25-105-07 available on the CISA website.

Who is affected

Delta Electronics COMMGR v1 and COMMGR v2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References