CVE-2022-3377

HIGH

Horner Automation's Cscape <9.90 SP 6 - Code Injection

Title source: llm

Description

Horner Automation's Cscape version 9.90 SP 6 and prior does not properly validate user-supplied data. If a user opens a maliciously formed FNT file, then an attacker could execute arbitrary code within the current process by accessing an uninitialized pointer, leading to an out-of-bounds memory read.

References (1)

[Patch, Third Party Advisory, US Government Resource] https://www.cisa.gov/uscert/ics/advisories/icsa-22-277-03

Scores

CVSS v3 7.8

EPSS 0.0013

EPSS Percentile 32.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-824

Status published

Products (2)

hornerautomation/cscape 9.90 (7 CPE variants)

hornerautomation/cscape < 9.90

Published Nov 15, 2022

Tracked Since Feb 18, 2026