Login Sign Up

CVE-2021-22678

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-22678 is a memory corruption vulnerability in Cscape software that allows attackers to execute arbitrary code by tricking users into opening malicious project files. This affects all Cscape versions prior to 9.90 SP4, putting industrial control system operators at risk.

💻 Affected Systems

Products:
  • Cscape
Versions: All versions prior to 9.90 SP4
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Affects engineering workstations using Cscape for industrial control system programming.

📦 What is this software?

Cscape by Hornerautomation

View all CVEs affecting Cscape →

Cscape by Hornerautomation

View all CVEs affecting Cscape →

Cscape by Hornerautomation

View all CVEs affecting Cscape →

Cscape by Hornerautomation

View all CVEs affecting Cscape →

Cscape by Hornerautomation

View all CVEs affecting Cscape →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the engineering workstation, potentially enabling lateral movement to industrial control systems.

🟠

Likely Case

Local privilege escalation or remote code execution when users open specially crafted project files, leading to data theft or system manipulation.

🟢

If Mitigated

Limited impact with proper network segmentation and user awareness preventing malicious file execution.

🌐 Internet-Facing: LOW - Cscape is typically not exposed to the internet directly.
🏢 Internal Only: HIGH - Attackers with internal access can exploit via social engineering or network shares.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires user interaction to open malicious project file. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Cscape 9.90 SP4 and later

Vendor Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-21-112-01

Restart Required: Yes

Instructions:

1. Download Cscape 9.90 SP4 or later from official Eaton website. 2. Backup existing projects. 3. Install the update. 4. Restart system. 5. Verify version in Help > About.

🔧 Temporary Workarounds

Restrict project file execution

windows

Implement application whitelisting to prevent execution of unauthorized Cscape project files.

Using Windows AppLocker or similar: New rule for Cscape executable, allow only signed versions.

User awareness training

all

Train users to only open project files from trusted sources and verify file integrity.

🧯 If You Can't Patch

  • Implement network segmentation to isolate Cscape workstations from untrusted networks.
  • Use least privilege principles - run Cscape with limited user accounts, not administrator.

🔍 How to Verify

Check if Vulnerable:

Open Cscape, go to Help > About. If version is below 9.90 SP4, system is vulnerable.

Check Version:

In Cscape: Help > About menu option

Verify Fix Applied:

After update, check Help > About shows version 9.90 SP4 or higher.

📡 Detection & Monitoring

Log Indicators:

  • Windows Event Logs: Application crashes from Cscape.exe
  • Unexpected process creation from Cscape context

Network Indicators:

  • Unusual outbound connections from Cscape workstations
  • File transfers to/from engineering workstations

SIEM Query:

source="windows" AND process="Cscape.exe" AND (event_id=1000 OR event_id=1001)

📊 Metadata

CVE ID: CVE-2021-22678
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: April 23, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22678, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)