Horner Automation Cscape and XL4, XL7 PLC

Horner Automation Cscape v10.0, XL4 PLC v16.32.0, and XL7 PLC v15.60 contain a critical password brute-force vulnerability (CVE-2026-6284, CVSS 9.1) with no rate limiting. This affects manufacturing environments globally and allows unauthenticated network attackers to compromise PLCs controlling critical infrastructure.

CRITICALAdvisoryApr 18, 2026

Action required

Immediately identify and inventory all Horner Cscape and XL4/XL7 PLC instances on your network. Patch Cscape to v10.2 SP2 or later and update PLC firmware to latest versions. Until patched, restrict network access to these devices and enforce strong passwords.

Affected products

Horner AutomationCscapeXL4 PLCXL7 PLC

CVE IDs

CVE-2026-6284

Linked articles

Horner Automation Cscape and XL4, XL7 PLC

Source links

https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-02