CISA Warns of Out-of-Bounds Read Flaw in Horner Automation Cscape HMI Software
CISA published an advisory for CVE-2026-12897, a high-severity out-of-bounds read vulnerability in Horner Automation Cscape versions prior to 10.2 SP3 that could allow local attackers to execute arbitrary code.
CISA has issued an industrial control systems advisory (ICSA-26-176-03) warning of a high-severity vulnerability in Horner Automation's Cscape engineering software, used to program and configure human-machine interfaces (HMIs) and programmable logic controllers (PLCs) in critical manufacturing environments worldwide. The flaw, tracked as CVE-2026-12897, is an out-of-bounds read vulnerability that arises when Cscape parses specially crafted CSP files.
Successful exploitation of the vulnerability could allow a local attacker to disclose sensitive information and execute arbitrary code on the affected system. The issue carries a CVSS v3.1 base score of 7.8 (HIGH) and a CVSS v4.0 score of 8.4 (HIGH). According to CISA, the vulnerability is not exploitable remotely, and no known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
The affected product is Horner Automation Cscape versions prior to 10.2 SP3. The software is deployed globally across the Critical Manufacturing sector, with the vendor headquartered in the United States. The vulnerability was reported to CISA by researcher Michael Heinzl.
Horner Automation has released Cscape 10.2 SP3 to remediate the issue. Users are strongly encouraged to download and apply the update from the vendor's official website. The release notes for version 10.2 SP3 are available on the Horner Automation website.
CISA recommends that organizations minimize network exposure for all control system devices and systems, ensuring they are not accessible from the internet. Control system networks should be located behind firewalls and isolated from business networks. When remote access is required, more secure methods such as VPNs should be used, recognizing that VPNs may have vulnerabilities and should be updated to the most current version available.
This advisory adds to a growing list of vulnerabilities disclosed in industrial control system software, highlighting the ongoing need for robust patch management and network segmentation in operational technology environments. While the flaw requires local access to exploit, the potential for arbitrary code execution in critical manufacturing settings underscores the importance of applying the vendor's fix promptly.