CVE-2021-38397

Summary

Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to unrestricted file uploads, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition.

Affected Software

VendorProductVersion RangeStatus
HoneywellExperion PKSC200affected
HoneywellExperion PKSC200Eaffected
HoneywellExperion PKSC300affected
HoneywellExperion PKSACE controllersaffected

Weaknesses

  • CWE-434: CWE-434: Unrestricted Upload of File with Dangerous Type

Workarounds

Honeywell recommends users follow all guidance in the Experion Network and Security Planning Guide to prevent attacks by malicious actors.

Additional information can be found in Honeywell Support document SN2021-02-22-01.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References