CVE-2026-12818: DVP-12SE Exposure of Sensitive Information Vulnerability
Delta Electronics DVP12SE PLCs are susceptible to a resource allocation vulnerability without limits or throttling (CWE-770) within their Modbus TCP service.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unbounded resource allocation vulnerability (CWE-770) affects the Modbus TCP service in Delta Electronics DVP-12SE PLCs. The flaw is reachable over the network with no authentication required, making it exploitable by any host that can reach the device. Successful exploitation allows an attacker to exhaust device resources, corrupt in-flight data, and crash the Modbus TCP service entirely. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-12818 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle DVP-12SE firmware or Modbus TCP client tooling.
AvailableTriage is available using the CVSS v4.0 score of 9.3 (Critical), weighted against each customer organization's compliance policy to determine urgency and routed to the appropriate team inbox within that environment.
AvailableNo fix version has been published by Delta Electronics. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment upstream publishes a remediated release.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the DVP-12SE Modbus TCP service over the network; any host with IP connectivity to the device can attempt the attack.
- AuthenticationNot required
No credentials or account are needed; the Modbus TCP service accepts unauthenticated connections by design.
- Victim interactionNot required
No user or operator action is required; the attacker interacts directly with the exposed service.
- Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, special memory layouts, or environmental prerequisites are required.
Blast Radius
- Exhausts memory or connection-table resources on the PLC, rendering the Modbus TCP service unresponsive to legitimate control traffic.
- Crashes the affected DVP-12SE service, disrupting any industrial process or equipment relying on the PLC for real-time control.
- Corrupts or drops in-flight Modbus register reads and writes, causing incorrect values to be committed to connected systems.
- Combines confidentiality, integrity, and availability impact against the vulnerable component, giving an attacker full loss of sensor data, writable coil state, and device uptime.
How HarborGuard Handles This
Available on HarborGuard: because no fix version exists for CVE-2026-12818, the platform continuously monitors the Delta Electronics advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment upstream ships a remediated firmware or software release. In the interim, customers can apply compensating controls surfaced through HarborGuard policy: network-policy isolation to restrict which hosts can initiate Modbus TCP sessions to DVP-12SE devices, egress filtering to prevent unauthorized lateral reach to PLC subnets, and feature-flag gating on any application component that enables Modbus TCP connectivity. For customers with auto-remediation enabled, a rebuild and regression run will be triggered and a PR opened against affected workloads as soon as a fix version is published upstream.
- deltaww / DVP-12SE*
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N