Honeywell Experion PKS and ACE Controllers Injection
CVE-2021-38395

9.1CRITICAL

Key Information:

Vendor

Honeywell

Vendor
CVE Published:
28 October 2022

What is CVE-2021-38395?

Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to improper neutralization of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition.

Affected Version(s)

Experion PKS C200

Experion PKS C200E

Experion PKS C300

References

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Rei Henigman and Nadav Erez of Claroty reported these vulnerabilities to CISA.
.