Back to Intelligence

CVE-2026-6284: Horner Automation Cscape and PLCs Brute Force Vulnerability — Detection and Hardening

SA
Security Arsenal Team
April 19, 2026
5 min read

A critical vulnerability (CVE-2026-6284) has been identified in Horner Automation's Cscape software and XL4/XL7 Programmable Logic Controllers (PLCs). With a CVSS v3 score of 9.1, this flaw represents a severe risk to the Critical Manufacturing sector. The issue stems from weak password requirements and the complete absence of a password input limiter. Consequently, an attacker with network access to the PLC can brute force credentials to gain unauthorized access. In the context of Operational Technology (OT), where availability and integrity are paramount, unauthorized access can lead to catastrophic production stoppages, equipment damage, or safety hazards. Defenders must act immediately to identify affected assets and enforce strict network segmentation.

Technical Analysis

Affected Products:

  • Cscape: v10.0 (Engineering workstation software)
  • XL7 PLC: v15.60
  • XL4 PLC: v16.32.0

Vulnerability Details:

  • CVE ID: CVE-2026-6284
  • CVSS Score: 9.1 (Critical)
  • Attack Vector: Network (Adjacent)
  • Impact: Unauthorized Access, Loss of Confidentiality/Integrity

Mechanism of Exploitation: The vulnerability is fundamentally a security bypass via authentication weakness. The PLC firmware and associated Cscape software do not enforce strong password complexity policies. More critically, the device lacks an account lockout mechanism or rate limiting on login attempts. This allows an attacker positioned on the control network to perform a rapid, unlimited brute-force attack against the PLC's authentication interface. Once valid credentials are obtained, the attacker gains full control over the controller logic and configuration.

Exploitation Status: While active exploitation in the wild has not been explicitly confirmed in the advisory at this time, the low barrier to exploitation (no specialized tools required beyond standard network scripting) and the high value of PLC targets make this a high-priority target for commodity ICS malware and targeted threat groups alike.

Detection & Response

Detecting brute-force attacks on PLCs often requires visibility into the industrial protocols or network traffic, as traditional endpoint detection (EDR) is rarely installed directly on the controller. The following rules focus on detecting the behavior of the attack (high-frequency connection attempts) and checking the engineering workstations for vulnerable software versions.

Sigma Rules

YAML
---
title: Potential ICS Brute Force Attack - High Frequency Network Connections
id: 8a9b1c2d-3e4f-5a6b-7c8d-9e0f1a2b3c4d
status: experimental
description: Detects potential brute force activity against ICS devices characterized by a high volume of connection attempts from a single source IP to a specific destination port. This targets CVE-2026-6284 behavior in Horner PLCs.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-02
author: Security Arsenal
date: 2026/01/15
tags:
  - attack.initial_access
  - attack.t1110.003
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    EventID: 3
  filter:
    DestinationPort|between: 
      - 1
      - 65535
  condition: selection | count(DestinationIp) by SourceIp > 100
  timeframe: 1m
falsepositives:
  - High polling rates from SCADA polling (unlikely to exceed 100/sec)
  - Network scanning tools
level: high
---
title: Vulnerable Cscape Engineering Software Execution
id: 9c0d1e2f-3a4b-5c6d-7e8f-9a0b1c2d3e4f
status: experimental
description: Identifies execution of Cscape executable v10.0 which is associated with CVE-2026-6284 vulnerability in Horner Automation environments.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-02
author: Security Arsenal
date: 2026/01/15
tags:
  - attack.resource_development
  - attack.t1588.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\Cscape.exe'
    Product|contains: 'Cscape'
  filter_version:
    FileVersion|contains: '10.0'
  condition: selection and filter_version
falsepositives:
  - Legitimate engineering workstation usage (requires inventory management)
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for anomalies in connection volume indicative of brute forcing against devices on the OT network.

KQL — Microsoft Sentinel / Defender
let TimeFrame = 1h;
let ConnectionThreshold = 200; // High threshold to avoid SCADA polling noise
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where InitiatingProcessFileName !in ("svchost.exe", "services.exe") // Exclude common system noise
| summarize TotalConnections = count(), DistinctPorts = dcount(DestinationPort) by DeviceName, RemoteIP, RemotePort
| where TotalConnections > ConnectionThreshold
| project Timestamp, DeviceName, RemoteIP, RemotePort, TotalConnections
| order by TotalConnections desc

Velociraptor VQL

This artifact hunts for the presence of the vulnerable Cscape version on engineering workstations.

VQL — Velociraptor
-- Hunt for vulnerable Cscape v10.0 installation
SELECT FullPath, Mtime, Size, Version
FROM glob(globs="\\Program Files (x86)\\Horner Electric\\Cscape\\Cscape.exe", root=expand(path="%ProgramFiles(x86)%"))
WHERE Version =~ "10.0.*"

Remediation Script (PowerShell)

This script audits the Engineering Workstations for the vulnerable Cscape version (v10.0) associated with CVE-2026-6284.

PowerShell
<#
    .SYNOPSIS
    Audit for vulnerable Horner Automation Cscape versions.
    .DESCRIPTION
    Checks for Cscape v10.0 on local system.
#>

$CscapePaths = @(
    "${env:ProgramFiles(x86)}\Horner Electric\Cscape\Cscape.exe",
    "$env:ProgramFiles\Horner Electric\Cscape\Cscape.exe"
)

$VulnerableVersion = "10.0"
$FoundVuln = $false

foreach ($Path in $CscapePaths) {
    if (Test-Path $Path) {
        $FileInfo = Get-Item $Path
        $VersionInfo = $FileInfo.VersionInfo.FileVersion
        
        Write-Host "[+] Found Cscape at: $Path"
        Write-Host "    Version: $VersionInfo"
        
        if ($VersionInfo -like "$VulnerableVersion*") {
            Write-Host "[!] ALERT: Vulnerable version $VulnerableVersion detected (CVE-2026-6284)." -ForegroundColor Red
            $FoundVuln = $true
        }
    }
}

if (-not $FoundVuln) {
    Write-Host "[+] No vulnerable Cscape v10.0 installations found on this host."
}

Remediation

To mitigate CVE-2026-6284, Security Arsenal recommends the following immediate actions:

  1. Apply Vendor Updates: Monitor the Horner Automation website and CISA advisory for firmware updates that introduce account lockout policies and enforce complexity requirements. Update affected PLCs (XL4 v16.32.0, XL7 v15.60) and Cscape software (v10.0) immediately upon patch release.

  2. Network Segmentation (Critical): If patching is delayed, strictly isolate PLCs behind a firewall or a Unidirectional Gateway (Data Diode). Ensure that the PLC is only reachable from dedicated Engineering Workstations on a dedicated ICS VLAN. Block inbound access to the PLCs from the corporate IT network and internet.

  3. Enforce Strong Passwords: Manually update credentials on all affected PLCs to complex passphrases (16+ characters) immediately to increase the entropy and time required to brute force, even in the absence of rate limiting.

  4. Monitor for Brute Force: Deploy the detection rules above on your network intrusion detection system (NIDS) or Security Information Event Management (SIEM) to alert on high-frequency authentication attempts to PLC IP addresses.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub

alert-triagealert-fatiguesoc-automationfalse-positive-reductionalertmonitorcve-2026-6284horner-automationics-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action