PatchSiren cyber security CVE debrief
CVE-2026-4436 GPL Odorizers CVE debrief
CVE-2026-4436 is a high-severity OT issue in GPL Odorizers GPL750 systems where a low-privileged remote attacker can send Modbus packets that change register values used by odorant injection logic. The result can be too much or too little odorant entering a gas line, creating an operational and safety concern for affected sites. CISA’s advisory was published on 2026-04-09 and recommends updating to the latest supported software/firmware combination and following the vendor’s update guidance.
- Vendor
- GPL Odorizers
- Product
- GPL750 (XL4)
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-09
- Original CVE updated
- 2026-04-09
- Advisory published
- 2026-04-09
- Advisory updated
- 2026-04-09
Who should care
Operators and maintainers of GPL750-based odorization systems, OT/ICS security teams, control engineers, and network defenders responsible for environments where Modbus is reachable from untrusted or broadly shared networks.
Technical summary
According to the CISA CSAF advisory, the issue affects GPL750 (XL4) >=v1.0 and <v6.0, GPL750 (XL4 Prime) >=v4.0 and <v6.0, GPL750 (XL7) >=v13.0 and <v20.0, and GPL750 (XL7 Prime) >=v18.4 and <v20.0. A remote attacker with low privileges can send Modbus packets to manipulate register values that feed the odorant injection logic, which can cause over-injection or under-injection into a gas line. The supplied CVSS vector indicates network attackability and integrity impact, with no confidentiality impact reported.
Defensive priority
Immediate
Recommended defensive actions
- Update the GPL750 software and the corresponding Horner Automation firmware to the latest vendor-supported versions for the affected XL4, XL4 Prime, XL7, and XL7 Prime devices.
- Follow the vendor’s microSD update guidance carefully, including removing old files as instructed and preserving only the files required by the advisory for your configuration.
- Restrict Modbus access to trusted engineering hosts and networks, and apply CISA ICS recommended practices and defense-in-depth guidance to reduce exposure.
- Review OT network activity for unauthorized Modbus connections or unexpected register-write activity affecting odorant injection settings.
- If you need assistance with the update process, coordinate with GPL Odorizers and use the official installation guidance referenced in the advisory.
Evidence notes
This debrief is based on the CISA CSAF advisory for ICSA-26-099-02 / CVE-2026-4436, published 2026-04-09. The advisory states that low-privileged remote Modbus traffic can alter register values used by odorant injection logic, lists the affected GPL750 version ranges, and provides remediation guidance to update software/firmware and follow the vendor’s installation instructions. No exploit code or unverified impact claims were used.
Official resources
-
CVE-2026-4436 CVE record
CVE.org
-
CVE-2026-4436 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in ICSA-26-099-02 on 2026-04-09. No KEV listing was provided in the supplied corpus.