CVE-2021-38395

Summary

Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to improper neutralization of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition.

Affected Software

VendorProductVersion RangeStatus
HoneywellExperion PKSC200affected
HoneywellExperion PKSC200Eaffected
HoneywellExperion PKSC300affected
HoneywellExperion PKSACE controllersaffected

Weaknesses

  • CWE-74: CWE-74: Injection

Workarounds

Honeywell recommends users follow all guidance in the Experion Network and Security Planning Guide to prevent attacks by malicious actors.

Additional information can be found in Honeywell Support document SN2021-02-22-01.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References