CISA has published an ICS advisory detailing a high-severity vulnerability in Horner Automation’s Cscape engineering software, widely used in critical manufacturing environments worldwide. The flaw, identified as CVE-2026-12897, affects all Cscape versions prior to 10.2 SP3 and could enable a local attacker to both disclose sensitive information and execute arbitrary code.
Vulnerability Details
The root cause is an out-of-bounds read condition (CWE-125) triggered during the parsing of CSP project files. An attacker who can convince a user to open a specially crafted file would be able to exploit this weakness without requiring elevated privileges on the local system. The attack is not remotely exploitable and requires user interaction, consistent with the CVSS 3.1 vector string assigned to this issue.
Scoring reflects the seriousness of the potential impact. Under CVSS 3.1, the vulnerability carries a base score of 7.8 (HIGH), with high ratings across confidentiality, integrity, and availability. A CVSS 4.0 assessment yields a base score of 8.4 (HIGH).
Affected Products
- Horner Automation Cscape: all versions prior to 10.2 SP3
Remediation
Horner Automation has released Cscape 10.2 SP3 to address this vulnerability. Users are advised to update immediately. Release notes and the updated software are available through the Horner Automation website. Organizations that cannot immediately patch should follow standard ICS hardening guidance: isolate control system networks behind firewalls, avoid direct internet exposure of engineering workstations, and restrict file exchange to trusted sources.
Additional Context
CISA notes that no known public exploitation of this vulnerability has been reported at this time. The advisory was published on June 25, 2026, based on research reported by Michael Heinzl. As with all ICS environments, defenders are encouraged to perform a thorough risk assessment before deploying mitigations, and to report any suspected malicious activity to CISA.