CVE-2026-6284
Received Received - Intake
Brute Force Password Vulnerability in PLC Enables Unauthorized Access

Publication date: 2026-04-17

Last updated on: 2026-04-20

Assigner: ICS-CERT

Description
An attacker with network access to the PLC is able to brute force discover passwords to gain unauthorized access to systems and services. The limited password complexity and no password input limiters makes brute force password enumeration possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6284
EUVD
EUVD-2026-23442
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
horner_automation cscape 10.2_sp2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-521 The product does not require that users should have strong passwords.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability allows an attacker who has network access to a Programmable Logic Controller (PLC) to perform brute force attacks to discover passwords.

Because the system enforces limited password complexity and does not have any password input limiters, it is possible for attackers to repeatedly try different passwords until they find the correct one.

This leads to unauthorized access to systems and services controlled by the PLC.

Impact Analysis

The vulnerability can lead to unauthorized access to critical systems and services managed by the PLC.

Since the attacker can gain access without needing prior privileges or user interaction, this can compromise the confidentiality and integrity of the system.

Such unauthorized access could allow attackers to manipulate system operations or steal sensitive information.

Compliance Impact

This vulnerability allows an attacker with network access to brute force discover passwords due to limited password complexity and lack of input limiters, leading to unauthorized access to systems and services.

Such unauthorized access can result in exposure or compromise of sensitive data, which may violate requirements under common standards and regulations like GDPR and HIPAA that mandate strong access controls and protection of personal or health information.

Therefore, this vulnerability negatively impacts compliance by undermining the security controls necessary to protect sensitive data and prevent unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6284. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart