GPL Odorizers GPL750 Missing Authentication Vulnerability CVE-2026-4436
Summary
CISA ICS-CERT published advisory ICSA-26-099-02 describing a high-severity vulnerability (CVSS 8.6) in GPL Odorizers GPL750 industrial odorization equipment. The vulnerability (CVE-2026-4436) allows low-privileged remote attackers to send Modbus packets to manipulate register values controlling odorant injection into gas lines, potentially causing too much or too little odorant to be injected. Affected versions include GPL750 (XL4) >=v1.0, (XL4 Prime) >=v4.0, (XL7) >=v13.0, and (XL7 Prime) >=v18.4.
What changed
CISA disclosed CVE-2026-4436, a missing authentication vulnerability (CWE-306) in GPL Odorizers GPL750 systems used for gas pipeline odorization. A remote attacker with low privileges can send crafted Modbus packets to manipulate odorant injection registers, potentially resulting in dangerous over- or under-odorization of gas lines. The vendor has released software updates and firmware patches as mitigations. Operators of affected GPL750 odorizer units deployed in critical manufacturing and energy infrastructure must immediately identify affected installations, apply vendor-provided patches, and consider network segmentation controls to limit Modbus access.
What to do next
- Identify all GPL750 odorizer installations across gas infrastructure and confirm affected versions (XL4 >=v1.0, XL4 Prime >=v4.0, XL7 >=v13.0, XL7 Prime >=v18.4)
- Download latest GPL750 software and firmware updates from vendor link and update devices via microSD card process
- Update Horner Automation XL Series controllers to firmware v15.76 or XL Prime Series to v17.30
Archived snapshot
Apr 9, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
ICS Advisory
GPL Odorizers GPL750
Release Date
April 09, 2026
Alert Code ICSA-26-099-02 Related topics: Industrial Control System Vulnerabilities, Industrial Control Systems View CSAF
Summary
Successful exploitation of this vulnerability could allow a low privileged remote attacker to manipulate register values, which would result in too much or too little odorant being injected into a gas line.
The following versions of GPL Odorizers GPL750 are affected:
- GPL750 (XL4) >=v1.0|
- GPL750 (XL4 Prime) >=v4.0|
- GPL750 (XL7) >=v13.0|
- GPL750 (XL7 Prime) >=v18.4|
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 8.6 | GPL Odorizers | GPL Odorizers GPL750 | Missing Authentication for Critical Function |
Background
- Critical Infrastructure Sectors: Critical Manufacturing
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: United States
Vulnerabilities
CVE-2026-4436
A low-privileged remote attacker can send Modbus packets to manipulate register values that are inputs to the odorant injection logic such that too much or too little odorant is injected into a gas line.
Affected Products
GPL Odorizers GPL750
Vendor:
GPL Odorizers Product Version:
GPL Odorizers GPL750 (XL4): >=v1.0|
known_affected
Remediations
Mitigation
GPL Odorizers recommends users update to the latest software version of the GPL750 in connection with the latest firmware from Horner Automation for the XL4, XL4 Prime, XL7, and XL7 Prime devices.https://lincenergysystems-my.sharepoint.com/:f:/p/h_baer/IgDYaHIhXpyLQJvnKPd6b80TAUgV7Lp8qmVYBFUb0lmr7ak?e=JLeADm.
https://lincenergysystems-my.sharepoint.com/:f:/p/h_baer/IgDYaHIhXpyLQJvnKPd6b80TAUgV7Lp8qmVYBFUb0lmr7ak?e=JLeADm
Mitigation
GPL Odorizers recommends users clear the old files from their microSD cards, keeping only the LOGS folder and the FIRMWARE.LIC file if they have a WebMI license. The compressed folder downloaded from the link above can then be extracted to the root directory of the microSD card. These files already include the corresponding firmware update. If users do not have IT permissions to access their microSD cards, GPL Odorizers can provide preconfigured SD cards that technicians can simply swap into their odorizers prior to installation.
Mitigation
For assistance in updating GPL Odorizers to the latest version, users should reach out to GPL Odorizers directly via phone number (303) 697-6701 during the hours of 8:00 a.m. to 4:00 p.m. MST.
Mitigation
Horner Automation offers firmware version 15.76 for their XL Series and version 17.30 for their XL Prime Series controllers https://hornerautomation.com/controller-firmware/. An installation guide is available for both the XL series and the XL Prime series.
https://hornerautomation.com/controller-firmware/
Relevant CWE: CWE-306 Missing Authentication for Critical Function
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N |
Acknowledgments
- An anonymous researcher reported this vulnerability to CISA
Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
Revision History
- Initial Release Date: 2026-04-09
| Date | Revision | Summary |
|---|---|---|
| 2026-04-09 | 1 | Initial Publication |
Legal Notice and Terms of Use
This product is provided subject to this Notification and this Privacy & Use policy.
Tags
Sector: Critical Manufacturing Sector Topics: Industrial Control System Vulnerabilities, Industrial Control Systems
Please share your thoughts
We recently updated our anonymous product survey; we welcome your feedback.
Related Advisories
Apr 09, 2026
ICS Advisory | ICSA-26-099-01
Contemporary Controls BASC 20T
Apr 07, 2026
ICS Advisory | ICSA-26-097-01
Mitsubishi Electric GENESIS64 and ICONICS Suite products
Apr 02, 2026
ICS Advisory | ICSA-26-092-01
Siemens SICAM 8 Products
Apr 02, 2026
ICS Advisory | ICSA-26-092-02
Yokogawa CENTUM VP
Named provisions
Related changes
Get daily alerts for CISA ICS-CERT Advisories
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CISA.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when CISA ICS-CERT Advisories publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.