A newly disclosed vulnerability in Delta Electronics’ EIP Builder engineering tool can allow attackers to exfiltrate sensitive files from industrial engineering workstations, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging immediate patching. The flaw, tracked as CVE-2025-57704, is an XML External Entity (XXE) processing vulnerability that could expose confidential data when a corrupted project file is parsed. CISA published an ICS advisory on September 2, 2025, highlighting the risk to critical manufacturing environments, while Delta released a fixed version, EIP Builder v1.12, on August 26, 2025.

EIP Builder is a configuration tool widely used in industrial automation to set up and manage Ethernet/IP devices. Its deep integration into operational technology (OT) workflows makes it a high-value target. Although the vulnerability requires local access—such as tricking an engineer into opening a malicious XML file—the potential for information disclosure is significant. Once exploited, the bug could leak PLC programs, network credentials, and other intellectual property, paving the way for lateral movement or sabotage.

The Vulnerability: XXE Explained

XML External Entity (XXE) attacks occur when an XML parser processes input that contains references to external files or resources. If the parser is not properly configured to ignore such references, it may fetch local system files, internal network resources, or even perform server-side request forgery (SSRF). In the case of CVE-2025-57704, EIP Builder’s parser fails to restrict external entity processing, allowing an attacker-supplied XML file to read arbitrary files from the engineering workstation.

The weakness is classified under CWE-611 (Improper Restriction of XML External Entity Reference). It carries a CVSS v3.1 base score of 5.5 (Medium) and a CVSS v4 score of 6.7, with an attack vector of local (AV:L) and user interaction required. Despite the moderate severity rating, the potential impact on industrial operations is high because engineering hosts often possess elevated privileges and store sensitive configuration data.

Technical Breakdown of CVE-2025-57704

According to the NVD entry and Delta’s advisory, EIP Builder versions 1.11 and earlier are vulnerable. The CVSS vector string for v3.1 is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, meaning:

  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity and Availability: None

An attacker must craft a malicious XML file containing an external entity that points to a sensitive local file, such as a configuration document or password vault. When an engineer opens that file in EIP Builder, the parser resolves the entity and embeds the file’s contents into the output, which the attacker may later exfiltrate. CISA notes that while exploitation is not remote by default, social engineering or multi-stage attacks can easily deliver the malicious payload.

Affected Products and Exposure

Delta Electronics confirms that EIP Builder v1.11 and all prior versions are affected. The product runs on Windows platforms and is deployed globally across industrial sectors, with CISA specifically identifying critical manufacturing as the primary risk area. Engineering workstations that run EIP Builder often have dual-homed connectivity—access to both the IT and OT networks—making them a tempting target.

Typical attack vectors include:
- Phishing emails with XML attachments
- Compromised project files shared via contractors or third parties
- Malicious USB drives inserted into engineering PCs

Because the flaw is triggered by parsing, any method that can place a crafted XML file on the target system is a potential delivery mechanism.

Industry Impact: Critical Manufacturing at Risk

Industrial engineering workstations are the brain of modern factories. They hold the intellectual property (PLC logic, device configurations) and often have direct network paths to controllers and field devices. A successful XXE attack could leak:
- Ethernet/IP device configurations
- Network diagrams and IP addresses
- Credentials stored in project files or ancillary tools
- Proprietary automation code

Disclosure of such data could enable threat actors to map the OT network, steal trade secrets, or prepare for more destructive attacks. CISA’s advisory stresses that even vulnerabilities with local attack vectors can be weaponized as part of coordinated intrusion campaigns.

Vendor Response and Patch Availability

Delta Electronics acted swiftly after the vulnerability was reported by security researcher kimiya, working with Trend Micro’s Zero Day Initiative. On August 26, 2025, the company published its Product Cybersecurity Advisory (Delta-PCSA-2025-00013) and released EIP Builder v1.12 to the public download center. The advisory explicitly instructs users to upgrade to v1.12 or later and provides a direct link to the installation files.

CISA’s coordinating advisory (ICSA-25-245-01) amplifies the vendor’s guidance and includes additional defensive measures, such as network segmentation and risk assessments, to protect industrial environments even before patches are applied.

Mitigation Steps for Operators

For asset owners and operators in critical manufacturing, immediate action is necessary. CISA and Delta recommend the following prioritized checklist:

  • Inventory: Identify every engineering workstation, build server, and shared file store running EIP Builder.
  • Patch: Download and deploy EIP Builder v1.12, following a staged rollout from testing to production.
  • Containment: Restrict internet access and disable removable media on affected systems until patched.
  • File Screening: Implement email filters and attachment scanning to block XML files from untrusted sources.
  • Golden Images: Update all boot images, virtual machines, and disaster recovery copies to the patched version.
  • Monitoring: Enable logging for file accesses by EIP Builder processes and watch for unexpected DNS or HTTP requests.

CISA also advises performing a full risk assessment before making changes to production ICS environments to avoid inadvertent downtime.

Developer Guidance: Hardening XML Parsers

Beyond updating EIP Builder, organizations should review any custom tools that process XML data from engineering workflows. The Open Web Application Security Project (OWASP) provides a detailed XML External Entity Prevention Cheat Sheet, which recommends:

  • Disabling Document Type Definitions (DTDs) entirely in parser configurations
  • Setting external entity resolution to false (e.g., XmlResolver = null in .NET)
  • Preferring JSON or other non-XML data formats where possible
  • Validating and whitelisting allowed entity references if DTDs are mandatory

These secure coding practices can prevent XXE vulnerabilities in other industrial software and reduce the attack surface.

Detection and Forensics

Even with a patch in place, organizations should hunt for signs of past exploitation. Look for:
- Unusual file reads from EIP Builder processes targeting sensitive directories (e.g., system configuration folders)
- Outbound DNS or HTTP queries that may indicate entity resolution attempts
- User activity logs showing interaction with suspicious XML files

If an incident is suspected, capture volatile memory, preserve the malicious XML file, and consult with incident response teams. CISA’s advisory stresses that no known exploitation had been reported at the time of publication, but that status can change rapidly.

Timeline for Remediation

A pragmatic schedule for asset owners:
- Within 24–72 hours: Complete inventory and isolate vulnerable systems from external networks.
- Within 7 days: Test EIP Builder v1.12 in a staging environment and validate normal engineering workflows.
- Within 14 days: Roll out the update to all production engineering workstations and update backup images.
- Ongoing: Maintain active monitoring for suspicious behavior and subscribe to vendor security bulletins.

This aggressive timeline aligns with CISA’s recommended best practices for ICS patch management and reflects the risk posed to critical manufacturing.

Conclusion and Takeaways

CVE-2025-57704 is a classic XXE information disclosure bug with a clear fix. Delta Electronics’ prompt release of EIP Builder v1.12, coupled with CISA’s authoritative advisory, gives industrial organizations everything they need to eliminate the risk. However, because engineering workstations are often treated as semi-trusted and patching can lag in operational environments, asset owners must combine the software update with procedural controls.

The broader lesson is that even locally exploitable, medium-severity flaws can have outsized consequences in OT settings. A single malicious XML file can unlock an entire engineering network. By patching now, hardening XML parsers, and embracing defense-in-depth, operators can shut this attack path before it leads to a more serious breach.