Cyber Resilience

CVE-2026-6284

Critical

Published: 17 April 2026

Published
17 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0045 35.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-6284 is a critical-severity Weak Password Requirements (CWE-521) vulnerability in Hornerautomation (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 35.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2026-6284 is a vulnerability in Programmable Logic Controllers (PLCs) that enables an attacker with network access to brute-force discover passwords, leading to unauthorized access to systems and services. The flaw arises from limited password complexity combined with no password input limiters, facilitating brute-force password enumeration. It is associated with CWE-521 (Weak Password Requirements) and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

An unauthenticated attacker with network connectivity to the affected PLC can exploit this vulnerability with low complexity and no user interaction required. Successful brute-forcing allows the attacker to gain unauthorized access, potentially compromising the confidentiality and integrity of PLC systems and services.

CISA ICS Advisory ICSA-26-106-02 provides details on the vulnerability, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-02, with a corresponding CSAF file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-02.json. Additional information is hosted by Horner Automation at https://hornerautomation.com/cscape-software-free/cscape-software/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An attacker with network access to the PLC is able to brute force discover passwords to gain unauthorized access to systems and services. The limited password complexity and no password input limiters makes brute force password enumeration possible.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Why these techniques?

The vulnerability's weak password requirements (CWE-521) and lack of input limiters directly enable online brute-force password guessing to discover credentials and gain unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-55252Shared CWE-521
CVE-2025-55269Shared CWE-521
CVE-2023-37398Shared CWE-521
CVE-2023-35907Shared CWE-521
CVE-2026-33771Shared CWE-521
CVE-2025-63747Shared CWE-521
CVE-2026-25715Shared CWE-521
CVE-2025-25749Shared CWE-521
CVE-2025-25211Shared CWE-521
CVE-2025-53963Shared CWE-521

Affected Assets

Hornerautomation
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents brute-force password enumeration by enforcing limits on consecutive unsuccessful logon attempts and automatic account lockouts.

prevent

Mandates sufficient password complexity and strength requirements to render brute-force attacks infeasible given the limited complexity in the PLC.

prevent

Obscures feedback during authentication to hinder attackers from confirming valid passwords during brute-force attempts on PLC services.

References