Delta Electronics COMMGR v1 and v2 uses insufficiently randomized values to generate session IDs (CWE-338). An attacker could easily brute force a session ID and load and execute arbitrary code.
The COMMGR software uses a session ID generation algorithm based on values with insufficient entropy (CWE-338). An attacker remotely, without authentication and without user interaction, can conduct a brute force attack on the space of possible session identifiers and hit an active session. After session hijacking, it is possible to load and execute arbitrary code on the target system.
The attacker gains full control over the system — can execute arbitrary code (RCE), leading to breach of confidentiality, integrity, and availability of resources. The vulnerability is particularly dangerous in industrial environments (ICS/OT), where COMMGR is used to manage automation devices.
Patches available from the manufacturer should be applied in accordance with references — details are contained in the Delta Electronics bulletin PCSA-2025-00005 and the ICS-CERT advisory ICSA-25-105-07 available on the CISA website.
Delta Electronics COMMGR v1 and COMMGR v2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H