A distributed control system (DCS) product offered by Honeywell is affected by vulnerabilities that could allow malicious actors to disrupt industrial processes.
Researchers at industrial cybersecurity firm Claroty discovered that Honeywell’s Experion Process Knowledge System (PKS) is affected by three types of vulnerabilities. Two of them, CVE-2021-38395 and CVE-2021-38397, have been assigned a severity rating of critical and can allow an attacker to remotely execute arbitrary code on the system or cause a denial of service (DoS) condition.
The third flaw, tracked as CVE-2021-38399 and classified as high severity, is a path traversal issue that can allow an attacker to access files and folders.
The industrial giant published a security advisory for these vulnerabilities in February, when it informed customers about its plans for releasing patches this year. Some versions of the impacted products, however, will not receive fixes.
In a blog post published on Tuesday, Claroty detailed the vulnerabilities found by its Team82 researchers, as well as their potential impact in real world environments.
The Honeywell Experion PKS product is used by organizations worldwide to control large industrial processes. The DCS leverages controllers that can be programmed using engineering workstation software named Experion PKS Configuration Studio. The logic programmed for a controller is downloaded from the engineering station to the DCS components.
“In the case of the Experion PKS, Team82 found that it is possible to mimic the download code procedure and use these requests to upload arbitrary DLL/ELF files (for simulators and controllers, respectively). The device then loads the executables without performing checks or sanitization, giving an attacker the ability to upload executables and run unauthorized native code remotely without authentication,” Claroty explained.
Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series
An attacker could exploit the vulnerabilities to cause significant disruptions or to abuse the DCS for further attacks on the targeted organization’s network. However, Claroty pointed out that the ports an attacker needs access to in order to exploit the vulnerabilities are typically not exposed to the internet. The attacker would need to find a way to access the targeted organization’s OT network before exploiting the flaws.
Honeywell said the vulnerabilities impact its C200, C200E, C300 and ACE controllers. The ACE and C200 controllers will not receive patches, but mitigations are available, especially since network access is required for exploitation.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released both an advisory and a notification to inform organizations about the threat posed by these vulnerabilities.
Related: Vulnerabilities Allow Hackers to Access Honeywell Fire Alarm Systems
Related: Serious Vulnerabilities Expose Honeywell Surveillance Systems to Attacks

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- 900 US Schools Impacted by MOVEit Hack at National Student Clearinghouse
- Predator Spyware Delivered to iOS, Android Devices via Zero-Days, MitM Attacks
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
- Cisco to Acquire Splunk for $28 Billion
- Car Cybersecurity Study Shows Drop in Critical Vulnerabilities Over Past Decade
- Omron Patches PLC, Engineering Software Flaws Discovered During ICS Malware Analysis
Latest News
- Stealthy APT Gelsemium Seen Targeting Southeast Asian Government
- Nigerian Pleads Guilty in US to Million-Dollar BEC Scheme Role
- 900 US Schools Impacted by MOVEit Hack at National Student Clearinghouse
- City of Dallas Details Ransomware Attack Impact, Costs
- In-the-Wild Exploitation Expected for Critical TeamCity Flaw Allowing Server Takeover
- Predator Spyware Delivered to iOS, Android Devices via Zero-Days, MitM Attacks
- Researchers Discover Attempt to Infect Leading Egyptian Opposition Politician With Predator Spyware
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
