Security Experts:

Connect with us

Hi, what are you looking for?



Several Horner PLC Software Vulnerabilities Allow Code Execution via Malicious Font Files

A cybersecurity researcher has discovered a total of seven high-severity remote code execution vulnerabilities in Horner Automation’s Cscape product and they can all be exploited using malicious font files.

A cybersecurity researcher has discovered a total of seven high-severity remote code execution vulnerabilities in Horner Automation’s Cscape product and they can all be exploited using malicious font files.

Horner Automation is a US-based company that provides solutions for industrial process and building automation. Its Cscape programmable logic controller (PLC) software provides ladder diagram programming and operator interface development capabilities. According to the US Cybersecurity and Infrastructure Security Agency (CISA), Cscape is used worldwide, including in the critical manufacturing sector.

Researcher Michael Heinzl has discovered seven vulnerabilities in Cscape: four in 2021 and three in 2022. The first round of vulnerabilities was disclosed in May 2022, and CISA and the researcher published advisories for the second round of vulnerabilities in early October. According to CISA, the vendor has released updates that should patch all of these security holes.

2022 ICS Cyber Security Conference

Heinzl described the vulnerabilities as heap-based buffer overflow, out-of-bounds read/write, and uninitialized pointer issues related to improper validation of user-supplied data when the application parses fonts.

An attacker can exploit the flaws to execute arbitrary code in the context of the current process by getting a user to open a specially crafted font file. The researcher told SecurityWeek that the application does include specific features for dealing with fonts. This can increase an attacker’s chances of getting a user to open the malicious files using social engineering techniques.

Opening a malicious font file can result in the attacker’s code getting executed with the privileges of the user who launched the application.

These are not the only industrial control system (ICS) vulnerabilities identified by Heinzl. In the past two years, the researcher disclosed flaws found in industrial products made by Elcomplus, the CX-Programmer PLC programming software from Omron, Fuji Electric’s Tellus factory monitoring and operating product, Delta Electronics’ DIAEnergie industrial energy management system, and the myPRO HMI/SCADA product of mySCADA.

Related: Russia-Linked Pipedream/Incontroller ICS Malware Designed to Target Energy Facilities

Related: ICS Patch Tuesday: Siemens, Schneider Fix Several Critical Vulnerabilities

Related: Critical Vulnerabilities Found in Sealevel Device Used in ICS Environment

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.