• CVSS v3.1 base score of 9.8 (Critical) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, according to the CNA
• Delta Electronics COMMGR2 contains an out-of-bounds write vulnerability (CWE-787) enabling unauthenticated remote code execution
• NVD lists the vulnerability as analyzed; vendor advisory Delta-PCSA-2026-00005 is available addressing multiple COMMGR2 vulnerabilities
• No evidence of active exploitation in the wild; specific affected versions and patches detailed in vendor advisory

CVE-2026-3630 represents a critical out-of-bounds write vulnerability in Delta Electronics COMMGR2, an industrial communication and engineering support component. NVD lists CWE-787 (Out-of-bounds Write), sourced from the CNA. As a result, the vulnerability enables remote attackers to execute arbitrary code without authentication or user interaction.

The CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N indicates this is a network-accessible flaw with low attack complexity. It requires no privileges or user interaction. As a result, it earns a Critical 9.8 rating. Successful attacks could lead to full compromise of data privacy, integrity, and availability on affected systems.

In response, Delta Electronics has released a Product Cybersecurity Advisory (Delta-PCSA-2026-00005) addressing this vulnerability alongside CVE-2026-3631, indicating joint disclosure of multiple COMMGR2 security issues.

The vulnerability affects Delta Electronics COMMGR2 software, which is commonly deployed in industrial automation environments, including manufacturing, building automation, energy, and logistics sectors. In particular, COMMGR2 typically runs on engineering workstations and servers that support Delta’s industrial control systems and automation equipment.

Organizations using Delta automation products should consult the vendor’s Product Cybersecurity Advisory Delta-PCSA-2026-00005 for specific affected version ranges and patch information. Given the network-accessible nature of this vulnerability, systems with COMMGR2 exposed to network traffic represent the highest risk exposure.

Industrial environments where COMMGR2 is installed on operator or engineering workstations may face particular risk, as successful exploitation could potentially enable attackers to pivot into operational technology (OT) networks or manipulate industrial control configurations.

Contact us at Praetorian to learn how our offensive security team can help you assess your exposure to CVE-2026-3630 and other emerging threats.

• NVD — CVE-2026-3630
• CISA Advisory
• CISA Advisory

The information presented reflects our best understanding as of the publication date based on publicly available advisories, NVD data, and vendor disclosures. Details may evolve as new information becomes available. We will update this post if material changes occur. Praetorian makes no guarantees regarding the completeness or accuracy of third-party disclosures referenced herein.