CVE-2026-6284
Published: 17 April 2026
Summary
CVE-2026-6284 is a critical-severity Weak Password Requirements (CWE-521) vulnerability in Hornerautomation (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 35.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2026-6284 is a vulnerability in Programmable Logic Controllers (PLCs) that enables an attacker with network access to brute-force discover passwords, leading to unauthorized access to systems and services. The flaw arises from limited password complexity combined with no password input limiters, facilitating brute-force password enumeration. It is associated with CWE-521 (Weak Password Requirements) and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
An unauthenticated attacker with network connectivity to the affected PLC can exploit this vulnerability with low complexity and no user interaction required. Successful brute-forcing allows the attacker to gain unauthorized access, potentially compromising the confidentiality and integrity of PLC systems and services.
CISA ICS Advisory ICSA-26-106-02 provides details on the vulnerability, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-02, with a corresponding CSAF file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-02.json. Additional information is hosted by Horner Automation at https://hornerautomation.com/cscape-software-free/cscape-software/.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23442
Vulnerability details
An attacker with network access to the PLC is able to brute force discover passwords to gain unauthorized access to systems and services. The limited password complexity and no password input limiters makes brute force password enumeration possible.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability's weak password requirements (CWE-521) and lack of input limiters directly enable online brute-force password guessing to discover credentials and gain unauthorized access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents brute-force password enumeration by enforcing limits on consecutive unsuccessful logon attempts and automatic account lockouts.
Mandates sufficient password complexity and strength requirements to render brute-force attacks infeasible given the limited complexity in the PLC.
Obscures feedback during authentication to hinder attackers from confirming valid passwords during brute-force attempts on PLC services.