A cybersecurity researcher has discovered a total of seven high-severity remote code execution vulnerabilities in Horner Automation’s Cscape product and they can all be exploited using malicious font files.
Horner Automation is a US-based company that provides solutions for industrial process and building automation. Its Cscape programmable logic controller (PLC) software provides ladder diagram programming and operator interface development capabilities. According to the US Cybersecurity and Infrastructure Security Agency (CISA), Cscape is used worldwide, including in the critical manufacturing sector.
Researcher Michael Heinzl has discovered seven vulnerabilities in Cscape: four in 2021 and three in 2022. The first round of vulnerabilities was disclosed in May 2022, and CISA and the researcher published advisories for the second round of vulnerabilities in early October. According to CISA, the vendor has released updates that should patch all of these security holes.
Heinzl described the vulnerabilities as heap-based buffer overflow, out-of-bounds read/write, and uninitialized pointer issues related to improper validation of user-supplied data when the application parses fonts.
An attacker can exploit the flaws to execute arbitrary code in the context of the current process by getting a user to open a specially crafted font file. The researcher told SecurityWeek that the application does include specific features for dealing with fonts. This can increase an attacker’s chances of getting a user to open the malicious files using social engineering techniques.
Opening a malicious font file can result in the attacker’s code getting executed with the privileges of the user who launched the application.
These are not the only industrial control system (ICS) vulnerabilities identified by Heinzl. In the past two years, the researcher disclosed flaws found in industrial products made by Elcomplus, the CX-Programmer PLC programming software from Omron, Fuji Electric’s Tellus factory monitoring and operating product, Delta Electronics’ DIAEnergie industrial energy management system, and the myPRO HMI/SCADA product of mySCADA.
Related: Russia-Linked Pipedream/Incontroller ICS Malware Designed to Target Energy Facilities
Related: ICS Patch Tuesday: Siemens, Schneider Fix Several Critical Vulnerabilities
Related: Critical Vulnerabilities Found in Sealevel Device Used in ICS Environment
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
- Dish Ransomware Attack Impacted Nearly 300,000 People
- Samsung Smartphone Users Warned of Actively Exploited Vulnerability
Latest News
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Security Pros: Before You Do Anything, Understand Your Threat Landscape
- Major Massachusetts Health Insurer Hit by Ransomware Attack, Member Data May Be Compromised
- Apria Healthcare Notifying 2 Million People of Years-Old Data Breaches
- European Cybersecurity Firm Sekoia.io Raises $37.5 Million
- Today’s Cyber Defense Challenges: Complexity and a False Sense of Security
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations


