Connect with us

Hi, what are you looking for?



Critical Vulnerability in Honeywell Virtual Controller Allows Remote Code Execution

Claroty shows how Honeywell ControlEdge Virtual UOC vulnerability can be exploited for unauthenticated remote code execution.

OT, IoT and medical device cybersecurity firm Claroty has disclosed information on vulnerabilities found by its researchers in Honeywell’s Control Edge Unit Operations Controller (UOC).

Claroty researchers have found vulnerabilities in the ControlEdge Virtual UOC industrial automation controller, which can be deployed as a Linux-based virtual machine, eliminating the need for a physical controller.

The research focused on the EpicMo proprietary protocol, which is used for communication between Honeywell Experion servers and controllers. 

One of the vulnerabilities found in the protocol, tracked as CVE-2023-5389 and rated ‘critical severity’, is related to an undocumented function that allows writing files on Virtual UOC controllers. 

The flaw could allow an attacker who has access to the targeted organization’s OT network to execute arbitrary code without authentication by sending malicious packets to the controller.

“This attack could be carried out remotely in order to modify files, resulting in full control of the controller and the execution of malicious code,” Claroty explained. 

A second vulnerability found by Claroty is CVE-2023-5390, a medium-severity absolute path traversal issue that could allow an attacker to read files from a controller, potentially exposing limited information from the device. 

Claroty reported its findings to Honeywell, which released patches and published its own advisory to inform customers about the flaws. 

Advertisement. Scroll to continue reading.

The US cybersecurity agency CISA also published an advisory recently. The agency’s advisory covers 16 vulnerabilities affecting Honeywell’s Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, and Safety Manager SC products.

A majority of these flaws were discovered by cybersecurity firm Armis and their exploitation can lead to the disclosure of sensitive information, privilege escalation, or remote code execution. Armis, which dubbed the vulnerabilities Crit.IX, published details last year. 

*updated with link to Armis research

Related: Hackers Could Disrupt Industrial Processes via Flaws in Widely Used Honeywell DCS

Related: Honeywell: USB Malware Attacks on Industrial Orgs Becoming More Sophisticated

Related: Honeywell DCS Platform Vulnerabilities Can Facilitate Attacks on Industrial Organizations

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights