OTPulse
FeedAboutContact

Horner Automation Cscape

Plan Patch7.8ICS-CERT ICSA-21-035-02Feb 4, 2021
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

A memory corruption vulnerability (CWE-125 out-of-bounds read) in Horner Automation Cscape allows arbitrary code execution when a user opens a malicious project file. All versions prior to 9.90 SP3.5 are vulnerable. The vulnerability requires user action (opening the file) but does not require authentication or network access, making it suitable for social engineering delivery.

What this means
What could happen
An attacker could execute arbitrary code on a workstation running Cscape by providing a malicious project file, potentially gaining full control of the engineering environment and the ability to modify or download control logic for connected PLCs.
Who's at risk
Engineering and control system operators in water treatment, electrical distribution, and manufacturing facilities that use Horner Automation Cscape for PLC programming and project management on Windows workstations.
How it could be exploited
An attacker crafts a malicious Cscape project file (containing out-of-bounds memory read/write) and socially engineers a user into opening it. When opened, the file triggers memory corruption during parsing, allowing code execution in the Cscape process running under the user's privileges.
Prerequisites
  • User opens a malicious Cscape project file from an untrusted source
  • Cscape version prior to 9.90 SP3.5 is installed and running
Low complexity attackUser interaction required (social engineering)Affects engineering workstations (high access to control systems)
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (1)
ProductAffected VersionsFix Status
Cscape: All< 9.90 SP3.59.90 SP3.5
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDOnly open Cscape project files from trusted, verified sources (internal development team, known vendors)
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cscape to version 9.90 SP3.5 or later
Long-term hardening
0/2
HARDENINGApply least-privilege principle: engineering users should not have administrator rights on their workstations
HARDENINGImplement email filtering and user awareness training to reduce the risk of opening unsolicited project files
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/ad4bc478-c70c-4db9-9896-269ac7c7213c
Horner Automation Cscape | CVSS 7.8 - OTPulse