Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
An attacker with network access to the PLC is able to brute force discover passwords to gain unauthorized access to systems and services. The limited password complexity and no password input limiters makes brute force password enumeration possible.
AnalysisAI
Brute force password attacks against Horner Automation XL4/XL7 PLCs and Cscape software allow remote unauthenticated attackers to gain unauthorized administrative access via network connections. Weak password policies (limited complexity requirements) combined with absent rate limiting enable systematic credential enumeration. CVSS 9.1 (Critical) reflects network-accessible attack with no authentication required. CISA ICS-CERT advisory confirms vulnerability in operational technology environments where PLCs control industrial processes.
Technical ContextAI
Horner Automation Cscape is an engineering software platform for programming XL-series programmable logic controllers (PLCs) used in industrial automation. The vulnerability stems from CWE-521 (Weak Password Requirements), where authentication mechanisms lack two critical security controls: insufficient password complexity enforcement and missing brute-force mitigation (no account lockout, rate limiting, or CAPTCHA). Affected products per CPE data include Cscape software (cpe:2.3:a:horner_automation:cscape) and XL7/XL4 PLC firmware (cpe:2.3:a:horner_automation:xl7_plc and xl4_plc). The network-accessible nature (AV:N) indicates these authentication endpoints are exposed on TCP/IP interfaces, typical for PLC remote management protocols like Modbus TCP, EtherNet/IP, or proprietary OPC interfaces. In OT environments, PLCs often have predictable IP addresses on flat networks, making them discoverable through industrial protocol scanning tools like PLCScan or Nmap NSE scripts.
RemediationAI
Apply vendor-released updates from Horner Automation's Cscape software download page (https://hornerautomation.com/cscape-software-free/cscape-software/) - specific patched version numbers not confirmed in source data, consult vendor advisory for exact release addressing CVE-2026-6284. After patching, immediately change all PLC passwords to complex credentials (minimum 16 characters, mixed case, numbers, symbols) and disable default accounts. Compensating controls if patching is delayed: (1) Network segmentation - isolate PLCs on dedicated OT VLANs with firewall rules blocking port 80/443/502/44818 from corporate networks, allowing only engineering workstations via ACLs (trade-off: breaks remote monitoring until VPN configured). (2) Deploy industrial protocol firewall or IDS (Claroty, Nozomi, Dragos) to detect brute force patterns like rapid authentication failures or password spraying (trade-off: requires capital investment and OT security expertise). (3) Implement jump host architecture where engineers RDP into hardened bastion before accessing PLC programming interfaces (trade-off: adds operational friction, requires identity management integration). Note: Simply disabling network access is NOT viable for most OT environments requiring HMI connectivity - risk acceptance with monitoring may be necessary until patching window.
More in Brute Force
View allRuggedCom Rugged Operating System (ROS) before 3.3 has a factory account with a password derived from the MAC Address fi
An issue in the password change function of Silverpeas v6.4.2 and lower allows for the bypassing of password complexity
Victure RX1800 EN_V1.0.0_r12_110933 was discovered to utilize a weak default password which includes the last 8 digits o
Critical authentication bypass vulnerability in OpenC3 COSMOS v6.0.0 caused by weak password requirements that enable br
QaTraq 6.9.2 ships with administrative account credentials which are enabled in default installations and permit immedia
I-doit pro 25 and below and I-doit open 25 and below employ weak password requirements for Administrator account creatio
Weak Password Requirements in GitHub repository modoboa/modoboa prior to 2.1.0. Rated critical severity (CVSS 9.8), this
Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20. Rated critical severity (CVSS 9.8)
Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity (CVSS 9.8), t
Beijing Zed-3 Technologies Co.,Ltd VoIP simpliclty ASG 8.5.0.17807 (20181130-16:12) has a Weak password vulnerability. R
Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated critical severity (CVSS 9.8), th
Weak Password Requirements in GitHub repository ikus060/minarca prior to 4.2.2. Rated critical severity (CVSS 9.8), this
Same weakness CWE-521 – Weak Password Requirements
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23442
GHSA-r9f4-h79v-5p47