OT and IoT cybersecurity company SCADAfence has discovered potentially serious vulnerabilities in a widely used building management system made by Alerton, a brand of industrial giant Honeywell.
Four vulnerabilities have been found in the Alerton Compass software, which is the product’s human-machine interface (HMI), the Ascent Control Module (ACM), and the Visual Logic component. SCADAfence says this is the first time CVE identifiers have been assigned to vulnerabilities in Alerton products.
SCADAfence will soon publish a blog post detailing its findings. In the meantime, the company has issued a press release that points to National Vulnerability Database entries providing some technical information for each of the four security holes.
The vulnerabilities, two of which have been rated ‘high severity’, can be exploited by sending specially crafted packets to the targeted system. Remote, unauthenticated attackers can make configuration changes or write unauthorized code on the controller, both of which can lead to changes in the controller’s functionality. If an attacker writes malicious code on the controller, the victim will need to overwrite the program in order to restore the original operational function.
The cybersecurity firm pointed out that the malicious changes would not be reflected in the user interface, making it more likely for the attack to go unnoticed.
SecurityWeek has used the Shodan search engine to look for internet-exposed Alerton systems and found 240 results, a wide majority in the United States and a dozen in Canada. Most of the exposed systems are HMIs and controllers.
Yossi Reuven, security research team lead at SCADAfence, confirmed for SecurityWeek that exploitation of the vulnerabilities directly from the internet is possible.
SCADAfence has described several theoretical worst-case scenarios involving exploitation of the vulnerabilities.
Hackers could, for instance, target a building’s management system to cause ‘catastrophic damage’, or they could tamper with temperatures in healthcare, pharmaceutical or food production facilities where maintaining certain temperatures is critical. Malicious actors could also remotely shut down ventilation systems, which could pose a safety risk in manufacturing facilities that work with dangerous chemicals.
SCADAfence says Honeywell is expected to release patches soon. In the meantime, the cybersecurity firm has shared a series of recommendations for impacted Alerton customers, including ensuring that their OT network is isolated, properly configuring building automation system (BAS) firewalls, creating and maintaining ACM baseline configurations, disabling BAS protocols on external network segments, and disabling Ethernet on all ports where it’s not needed.
SecurityWeek has reached out to Honeywell for comment and will update this article if the company responds.
Threat actors targeting building management systems is not unheard of. Kaspersky reported recently that Chinese hackers used these types of systems as a point of infiltration in an attack aimed at a telecoms company.
UPDATE: Honeywell has provided the following statement:
Security is a top priority at Honeywell, and we are committed to taking all appropriate measures to ensure the highest integrity of our products and services. We are aware of the findings presented by SCADAfence, which did not take into consideration guidance in the Alerton ACM Dealer and End User Security Guides that we shared with them. We have encouraged our Alerton customers to follow our published security guidelines, review their current configuration and make any necessary updates.
UPDATE 2: SCADAfence has published a technical blog post describing the vulnerabilities.
Related: Schneider Electric, Claroty Launch Cybersecurity Solution for Buildings
Related: Hackers Can Make Siemens Building Automation Controllers ‘Unavailable for Days’

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- CISA, NSA Issue Guidance for IAM Administrators
- Analysis: SEC Cybersecurity Proposals and Biden’s National Cybersecurity Strategy
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Cisco Patches High-Severity Vulnerabilities in IOS Software
- ‘Nexus’ Android Trojan Targets 450 Financial Applications
- Tackling the Challenge of Actionable Intelligence Through Context
- Dole Says Employee Information Compromised in Ransomware Attack
- Backslash Snags $8M Seed Financing for AppSec Tech
