Summary
Successful exploitation of this vulnerability could allow a low privileged remote attacker to manipulate register values, which would result in too much or too little odorant being injected into a gas line.
The following versions of GPL Odorizers GPL750 are affected:
- GPL750 (XL4) >=v1.0|
- GPL750 (XL4 Prime) >=v4.0|
- GPL750 (XL7) >=v13.0|
- GPL750 (XL7 Prime) >=v18.4|
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 8.6 | GPL Odorizers | GPL Odorizers GPL750 | Missing Authentication for Critical Function |
Background
- Critical Infrastructure Sectors: Critical Manufacturing
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: United States
Vulnerabilities
CVE-2026-4436
A low-privileged remote attacker can send Modbus packets to manipulate register values that are inputs to the odorant injection logic such that too much or too little odorant is injected into a gas line.
Affected Products
GPL Odorizers GPL750
GPL Odorizers
GPL Odorizers GPL750 (XL4): >=v1.0|<v6.0, GPL Odorizers GPL750 (XL4 Prime): >=v4.0|<v6.0, GPL Odorizers GPL750 (XL7): >=v13.0|<v20.0, GPL Odorizers GPL750 (XL7 Prime): >=v18.4|<v20.0
known_affected
Remediations
Mitigation
GPL Odorizers recommends users update to the latest software version of the GPL750 in connection with the latest firmware from Horner Automation for the XL4, XL4 Prime, XL7, and XL7 Prime devices.https://lincenergysystems-my.sharepoint.com/:f:/p/h_baer/IgDYaHIhXpyLQJvnKPd6b80TAUgV7Lp8qmVYBFUb0lmr7ak?e=JLeADm.
https://lincenergysystems-my.sharepoint.com/:f:/p/h_baer/IgDYaHIhXpyLQJvnKPd6b80TAUgV7Lp8qmVYBFUb0lmr7ak?e=JLeADm
Mitigation
GPL Odorizers recommends users clear the old files from their microSD cards, keeping only the LOGS folder and the FIRMWARE.LIC file if they have a WebMI license. The compressed folder downloaded from the link above can then be extracted to the root directory of the microSD card. These files already include the corresponding firmware update. If users do not have IT permissions to access their microSD cards, GPL Odorizers can provide preconfigured SD cards that technicians can simply swap into their odorizers prior to installation.
Mitigation
For assistance in updating GPL Odorizers to the latest version, users should reach out to GPL Odorizers directly via phone number (303) 697-6701 during the hours of 8:00 a.m. to 4:00 p.m. MST.
Mitigation
Horner Automation offers firmware version 15.76 for their XL Series and version 17.30 for their XL Prime Series controllers https://hornerautomation.com/controller-firmware/. An installation guide is available for both the XL series and the XL Prime series.
https://hornerautomation.com/controller-firmware/
Relevant CWE: CWE-306 Missing Authentication for Critical Function
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N |
Acknowledgments
- An anonymous researcher reported this vulnerability to CISA
Legal Noti
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from All CISA Advisories
Read the original article:
Read the original article: