Horner Automation Cscape

Plan Patch7.8ICS-CERT ICSA-21-224-02Aug 12, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Horner Automation Cscape contains multiple memory corruption vulnerabilities (buffer overflow and out-of-bounds read/write) in versions prior to 9.90 SP5. These vulnerabilities exist in the CWE-787, CWE-824, and CWE-125 categories. Successful exploitation requires a user to open a malicious project file in Cscape, which can result in code execution within the Cscape process. The vulnerabilities are not remotely exploitable and no known public exploits are available.

What this means

What could happen

An attacker with local access to an engineering workstation running Cscape could execute arbitrary code within the application, potentially allowing manipulation of control logic, process parameters, or project files before deployment to PLCs or other field devices.

Who's at risk

Engineering and automation teams using Horner Automation Cscape for programming and configuring Horner PLCs and industrial controllers. Any organization that develops or maintains Horner-based automation projects is affected, including water utilities, electric utilities, and manufacturing facilities.

How it could be exploited

An attacker must trick a Cscape user into opening a malicious project file from an untrusted source. When the file is opened in Cscape, memory corruption vulnerabilities (buffer overflow, out-of-bounds write/read) are triggered, allowing code execution within the Cscape process context. The attacker could then modify control logic or configuration without detection.

Prerequisites

Local file access to the engineering workstation where Cscape is installed
Cscape version earlier than 9.90 SP5
User interaction required: victim must open a malicious project file

Local file-based attack vectorRequires user interaction (file open)Low complexity to exploit once file is openedMemory corruption vulnerabilities (buffer overflow, out-of-bounds access)

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

Cscape: All< 9.90 SP59.90 SP5

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDOnly open Cscape project files from trusted, verified sources; establish a review process for any external project files before opening in Cscape

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cscape to version 9.90 SP5 or later

Long-term hardening

0/2

HARDENINGRestrict file access on engineering workstations to limit the ability to drop untrusted files; use application whitelisting on Cscape workstations

HARDENINGEducate engineering and operations staff on social engineering risks and the dangers of opening unsolicited attachments or files from unknown sources

CVEs (3)

CVE-2021-32995 CVE-2021-33015 CVE-2021-32975

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a28fb059-e9ce-4ba3-bc37-bb9135234b78