Security Experts:

Connect with us

Hi, what are you looking for?



Johnson Controls, XZERES, Honeywell Patch Vulnerable Products

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has released a series of advisories detailing security issues identified by researchers in products from XZERES, Honeywell, and Johnson Controls.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has released a series of advisories detailing security issues identified by researchers in products from XZERES, Honeywell, and Johnson Controls.

According to ICS-CERT, Johnson Controls has released patches to address two high severity vulnerabilities affecting the 4.1, 5.x and 6.x releases of the Metasys building management system. The vulnerable releases are used in products such as Application and Data Server (ADS), Extended Application and Data Server (ADX), LonWorks Control Server 85 (LCS8520), Network Automation Engine (NAE), Network Integration Engine (NIE), and NxE8500.

Security researcher Billy Rios discovered that the Metasys web service is plagued by an unrestricted file upload vulnerability (CVE-2014-5428) that can be exploited by a remote, unauthenticated attacker to upload a shell script to an arbitrary location. The attacker can then execute the malicious script and compromise the affected system, ICS-CERT said.

Rios has also found that passwords are stored in a recoverable format (CVE-2014-5427). A remote attacker can compromise a Metasys system by using an unauthenticated POST request to retrieve the password hash belonging to an authorized user.

Martin Jartelius of Outpost24 has discovered and reported a high severity path traversal vulnerability (CVE-2015-0984) in Honeywell’s XLWeb controllers. The flaw affects several versions of the BACnet Building Controller Excel Web, including XL1000C50, XL1000C100, XL1000C500, XL1000C1000, XL1000C50U, XL1000C100U, XL1000C500U, and XL1000C1000U.

“An attacker may use this vulnerability to generate a valid login for an administrative user on the Honeywell XLWeb controller giving the attacker full administrator access to the system. The XLWEB application effectively becomes an entry point into the network where it is located,” ICS-CERT wrote in an advisory.

ICS-CERT advises organizations to mitigate the flaw by updating their products to Excel Web Linux version 2.04.01 or later, and Computer Aided Regulation Engineering (CARE) software version 10.02 or later.

A vulnerability affecting the XZERES 442SR Wind Turbine have been identified by independent researcher Maxim Rupp. The expert discovered a cross-site request forgery (CSRF) flaw (CVE-2015-0985) in the 442SR operating system.

By launching a CSRF attack against a targeted system, an attacker can change the password of the default user, which has administrative privileges on the system.

According to ICS-CERT, there is no indication that exploits are publicly available for these flaws. However, the vulnerabilities can be exploited remotely even by an attacker with low skill so organizations are advised to apply the updates as soon as possible.

Learn More at the 2015 ICS Cyber Security Conference

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet