Horner Automation Cscape

Plan Patch8.4ICS-CERT ICSA-21-112-01Apr 22, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Cscape versions prior to 9.90 SP4 contain input validation (CWE-20) and privilege escalation (CWE-284) vulnerabilities that allow local code execution and privilege escalation. Successful exploitation gives an attacker the ability to execute code in the context of the current process or escalate to higher privileges on the workstation. These vulnerabilities are not remotely exploitable and require local access. No public exploits currently exist.

What this means

What could happen

An attacker with local access to a machine running Cscape could execute code or escalate privileges to gain control of the engineering workstation, potentially allowing them to modify PLC programs or steal configuration data.

Who's at risk

Water authorities, utilities, and municipalities using Horner Automation Cscape for engineering, programming, and configuration of PLCs and RTUs. This affects engineering workstations and the personnel who develop and modify PLC logic.

How it could be exploited

An attacker needs local access to the Cscape workstation (either via physical access or lateral movement from a compromised network machine). Once local, they can exploit input validation weaknesses (CWE-20) or privilege escalation issues (CWE-284) to run arbitrary code with elevated rights on the engineering system.

Prerequisites

Local access to the Cscape workstation
Cscape version prior to 9.90 SP4 installed
No requirement for valid credentials or user interaction

Local access required (reduces remote risk but increases insider/physical threat risk)No authentication requiredLow complexityAffects engineering workstation (gateway to PLC modifications)Patch available but requires maintenance window

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

Cscape: All< 9.90 SP49.90 SP4

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict physical and logical access to Cscape engineering workstations to authorized personnel only

WORKAROUNDOnly load Cscape project files from trusted, verified sources; implement change control for all project deployments

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cscape to version 9.90 SP4 or later

HARDENINGEnforce least-privilege user accounts on workstations running Cscape; disable unnecessary local admin access

Long-term hardening

0/1

HARDENINGIsolate Cscape engineering workstations from general corporate network; use air-gapped or restricted network segments

CVEs (2)

CVE-2021-22678 CVE-2021-22682

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7609d03e-dc31-4890-892a-df2cb8dac687