Horner Automation Cscape

MonitorCVSS 7.8ICS-CERT ICSA-25-128-01May 8, 2025

Horner Automation

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Cscape 10.0 SP1 and earlier contain a buffer over-read vulnerability (CWE-125) that allows an attacker with local access to disclose sensitive information from memory and execute arbitrary code. The vulnerability is triggered through user interaction with a malicious file. Cscape version 10.1 SP1 has been released to address this issue.

What this means

What could happen

An attacker with local access to a Cscape engineering workstation could read sensitive data, inject malicious code into control logic, and execute arbitrary commands on the device. This could allow manipulation of process control parameters or shutdown of industrial operations.

Who's at risk

Organizations running Horner Automation Cscape engineering software are affected. This impacts engineers and operators who use Cscape to design, configure, and maintain control logic for Horner PLCs and industrial controllers used in manufacturing, water treatment, power distribution, and other critical infrastructure.

How it could be exploited

An attacker must have physical or local network access to a Cscape workstation and trick a user into opening a malicious file or interacting with a compromised input (e.g., via email attachment or crafted file transfer). Once the vulnerable code path is triggered, the attacker gains the ability to read memory and execute code with the privileges of the Cscape application.

Prerequisites

Local or network access to Cscape workstation
User interaction required (must open or interact with malicious file/input)
Cscape version 10.0 SP1 or earlier installed

Local code execution possibleInformation disclosure via memory readLow complexity attackUser interaction required (reduces immediate risk)Affects engineering/development systems which can alter production logic

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Cscape: 10.0_(10.0.415.2)_SP110.0 (10.0.415.2) SP1No fix yet

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDTrain users to avoid opening unsolicited attachments or files from untrusted sources on engineering workstations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cscape to version 10.1 SP1 or later

Long-term hardening

0/2

HARDENINGRestrict network access to Cscape engineering workstations; limit connectivity to authorized engineering networks only

HARDENINGImplement application whitelisting to prevent execution of unsigned or untrusted files on Cscape workstations

CVEs (1)

CVE-2025-4098

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0893d649-918c-41e6-916c-075c831c4e12

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.