OTPulse
FeedAboutContact

Horner Automation Cscape

Monitor6.6ICS-CERT ICSA-18-354-01Dec 20, 2018
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

A vulnerability in Horner Automation Cscape programming software (versions up to 9.80.75.3 SP3) could allow an attacker with local workstation access to crash the software, read confidential information, or execute arbitrary code. Horner confirms that only the Cscape engineering software is affected; OCS field devices programmed with vulnerable Cscape versions continue to operate normally. The vulnerability is not remotely exploitable and requires user interaction such as opening a malicious file.

What this means
What could happen
An attacker with local access to a workstation running Cscape could crash the software, read sensitive files, or execute arbitrary code. However, the OCS devices programmed by Cscape are not compromised—only the engineering workstation is at risk.
Who's at risk
Engineering teams at industrial facilities using Horner Automation Cscape programming software (version 9.80.75.3 SP3 and earlier) are affected. This includes water utilities, electric utilities, manufacturing plants, and other sites that use Horner OCS devices and maintain engineering workstations for device programming and maintenance.
How it could be exploited
An attacker must have local access to a workstation running vulnerable Cscape software (version 9.80.75.3 SP3 or earlier). The attack is triggered through user interaction—likely opening a malicious file or project in Cscape. Once exploited, the attacker gains code execution on the engineering workstation, not the field devices.
Prerequisites
  • Local access to an engineering workstation
  • Vulnerable Cscape version installed (9.80.75.3 SP3 or earlier)
  • User interaction required (opening a file or project)
Requires local access to workstationRequires user interactionNo publicly known exploitsAffects engineering/IT tools, not field devices directlyLow EPSS score (0.2%)
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
Cscape:≤ 9.80.75.3 SP39.80 SP4
Remediation & Mitigation
0/3
Do now
0/2
HARDENINGRestrict local access to engineering workstations running Cscape to authorized personnel only
HARDENINGTrain staff to avoid opening unsolicited files or email attachments that may trigger the vulnerability
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cscape to version 9.80 SP4 or later
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/c28dab8d-c73c-4a85-879b-12d2f1c9de8c
Horner Automation Cscape | CVSS 6.6 - OTPulse