CVE-2026-6284

Critical

Published: 17 April 2026

Published

17 April 2026

Modified

20 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0001 2.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6284 is a critical-severity Weak Password Requirements (CWE-521) vulnerability in Hornerautomation (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Password Guessing (T1110.001). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-7 Unsuccessful Logon Attempts good match

prevent

Directly prevents brute-force password enumeration by enforcing limits on consecutive unsuccessful logon attempts and automatic account lockouts.

IA-5 Authenticator Management good match

prevent

Mandates sufficient password complexity and strength requirements to render brute-force attacks infeasible given the limited complexity in the PLC.

IA-6 Authentication Feedback partial match

prevent

Obscures feedback during authentication to hinder attackers from confirming valid passwords during brute-force attempts on PLC services.

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.

attack.mitre.org →

Why these techniques?

The vulnerability's weak password requirements (CWE-521) and lack of input limiters directly enable online brute-force password guessing to discover credentials and gain unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An attacker with network access to the PLC is able to brute force discover passwords to gain unauthorized access to systems and services. The limited password complexity and no password input limiters makes brute force password enumeration possible.

Deeper analysisAI

CVE-2026-6284 is a vulnerability in Programmable Logic Controllers (PLCs) that enables an attacker with network access to brute-force discover passwords, leading to unauthorized access to systems and services. The flaw arises from limited password complexity combined with no password input limiters, facilitating brute-force password enumeration. It is associated with CWE-521 (Weak Password Requirements) and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

An unauthenticated attacker with network connectivity to the affected PLC can exploit this vulnerability with low complexity and no user interaction required. Successful brute-forcing allows the attacker to gain unauthorized access, potentially compromising the confidentiality and integrity of PLC systems and services.

CISA ICS Advisory ICSA-26-106-02 provides details on the vulnerability, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-02, with a corresponding CSAF file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-02.json. Additional information is hosted by Horner Automation at https://hornerautomation.com/cscape-software-free/cscape-software/.