One high-severity vulnerability and three critical-severity vulnerabilities have been found in a brand of programmable logic controller (PLC) that is widely used in Asian industrial settings. Taiwan's Delta Electronics produces the DVP-12SE11T, a low-cost PLC that is well-liked in a number of delicate Asian industries, including food and beverage processing and water treatment. When researchers from OPSWAT's Unit 515 decided to investigate it in August 2025, they found four significant vulnerabilities, three of which scored higher than a 9 out of 10 on the Common Vulnerability Scoring System (CVSS).

Delta Electronics released a firmware patch for all four vulnerabilities to its clients shortly before the 2026 New Year.

However, not all organizations will be able or willing to patch the problems anytime soon because PLCs are by their very nature buried deep within operational networks, some of which are made to run continuously. One might assume that PLCs are at the top of any OT practitioner's list of machines to secure given how close they are and how much control they have over crucial and even safety-critical industrial processes. In fact, Nguyen advises vendors to apply Delta's patch "as soon as reasonably possible"; the term "possible" varies greatly based on the type of industrial site in question.

However, the question of whether PLC vulnerabilities are actually that significant in the first place is more frequently debated in OT security circles than PLC vulnerabilities themselves.

According to Andrew Ginter, vice president of industrial security at Waterfall Security Solutions, "the consequences of sabotage can be severe because PLCs directly control the physical process." "On the other hand, they are meant to be deep within defensive architecture, making them difficult to reach, and not by accident." The term "defense in depth" is frequently used by cybersecurity professionals, but PLCs are actually protected to a non-trivial extent by their depth.