CVE-2021-38395
9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Summary
Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to improper neutralization of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Honeywell | Experion PKS | C200 | affected |
| Honeywell | Experion PKS | C200E | affected |
| Honeywell | Experion PKS | C300 | affected |
| Honeywell | Experion PKS | ACE controllers | affected |
Weaknesses
- CWE-74: CWE-74: Injection
Workarounds
Honeywell recommends users follow all guidance in the Experion Network and Security Planning Guide to prevent attacks by malicious actors.
Additional information can be found in Honeywell Support document SN2021-02-22-01.
ADP Enrichment
CVE Program Container
Additional References
- https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04
- https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04
- https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.