Connect with us

Hi, what are you looking for?



Hackers Could Disrupt Industrial Processes via Flaws in Widely Used Honeywell DCS

A distributed control system (DCS) product offered by Honeywell is affected by vulnerabilities that could allow malicious actors to disrupt industrial processes.

A distributed control system (DCS) product offered by Honeywell is affected by vulnerabilities that could allow malicious actors to disrupt industrial processes.

Researchers at industrial cybersecurity firm Claroty discovered that Honeywell’s Experion Process Knowledge System (PKS) is affected by three types of vulnerabilities. Two of them, CVE-2021-38395 and CVE-2021-38397, have been assigned a severity rating of critical and can allow an attacker to remotely execute arbitrary code on the system or cause a denial of service (DoS) condition.

The third flaw, tracked as CVE-2021-38399 and classified as high severity, is a path traversal issue that can allow an attacker to access files and folders.

Vulnerabilities found in Honeywell DCSThe industrial giant published a security advisory for these vulnerabilities in February, when it informed customers about its plans for releasing patches this year. Some versions of the impacted products, however, will not receive fixes.

In a blog post published on Tuesday, Claroty detailed the vulnerabilities found by its Team82 researchers, as well as their potential impact in real world environments.

The Honeywell Experion PKS product is used by organizations worldwide to control large industrial processes. The DCS leverages controllers that can be programmed using engineering workstation software named Experion PKS Configuration Studio. The logic programmed for a controller is downloaded from the engineering station to the DCS components.

“In the case of the Experion PKS, Team82 found that it is possible to mimic the download code procedure and use these requests to upload arbitrary DLL/ELF files (for simulators and controllers, respectively). The device then loads the executables without performing checks or sanitization, giving an attacker the ability to upload executables and run unauthorized native code remotely without authentication,” Claroty explained.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Advertisement. Scroll to continue reading.

An attacker could exploit the vulnerabilities to cause significant disruptions or to abuse the DCS for further attacks on the targeted organization’s network. However, Claroty pointed out that the ports an attacker needs access to in order to exploit the vulnerabilities are typically not exposed to the internet. The attacker would need to find a way to access the targeted organization’s OT network before exploiting the flaws.

Honeywell said the vulnerabilities impact its C200, C200E, C300 and ACE controllers. The ACE and C200 controllers will not receive patches, but mitigations are available, especially since network access is required for exploitation.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released both an advisory and a notification to inform organizations about the threat posed by these vulnerabilities.

ICS Cyber Security Conference

Related: Vulnerabilities Allow Hackers to Access Honeywell Fire Alarm Systems

Related: Serious Vulnerabilities Expose Honeywell Surveillance Systems to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.