Horner Automation Cscape Envision RV

Plan Patch7.8ICS-CERT ICSA-23-040-04Feb 9, 2023

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Cscape Envision RV versions 4.6 and earlier contain out-of-bounds read and write vulnerabilities (CWE-125, CWE-787) in project file handling. Successful exploitation requires local access and user interaction—an attacker must trick an engineer into opening a malicious project file. Exploitation allows arbitrary code execution with application-level privileges on the engineering workstation. Horner Automation has released a fix in version 4.70.

What this means

What could happen

An attacker with local access to a Cscape Envision RV engineering workstation could execute arbitrary code by opening a malicious project file, potentially modifying control logic or disrupting automation system operations.

Who's at risk

Horner Automation control system integrators and manufacturers who use Cscape Envision RV for programming and configuration of Cscape-based PLCs and automation controllers. This affects organizations in water treatment, power generation, chemical processing, and other industries that deploy Horner automation equipment.

How it could be exploited

An attacker crafts a malicious Cscape Envision RV project file (containing out-of-bounds read/write exploits) and tricks an engineer into opening it on a vulnerable workstation. When opened, the file triggers memory corruption that allows the attacker to execute arbitrary code with the same privileges as the Cscape Envision RV application.

Prerequisites

Local access to a machine running Cscape Envision RV (4.6 or earlier)
User interaction required—engineer must open the malicious project file
Ability to deliver the malicious file to the target workstation (email, USB drive, network share)

Local access required (not remotely exploitable)User interaction required (social engineering/malicious file delivery)CWE-125 and CWE-787 memory corruption vulnerabilitiesCould allow arbitrary code execution on engineering workstation

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Cscape Envision RV: Cscape Envision RV:4.64.70

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGEducate engineers not to open project files from untrusted sources

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cscape Envision RV to version 4.70 or later

HARDENINGImplement file-level access controls on shared project repositories to prevent unauthorized modifications

Long-term hardening

0/1

HARDENINGRestrict engineering workstations to isolated or air-gapped network segments where possible

CVEs (3)

CVE-2023-0621 CVE-2023-0622 CVE-2023-0623

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/608fc410-3a7f-4620-846a-330ec6042fad