Product Security
MENU
Product Security Incident Response Team (PSIRT)
The goal of our Product Security Incident Response Team (PSIRT) is to minimize customers’ risk associated with security vulnerabilities by providing timely information, guidance and remediation of vulnerabilities in our products, including software and applications, hardware and devices, services and solutions. This team manages the receipt, investigation, internal coordination, remediation and disclosure of security vulnerability information related to Honeywell offerings.
We take security concerns seriously and work to quickly evaluate and address them. Once a security concern is reported, we commit the appropriate resources to analyze, validate, and address the issue.
Product Security Incident Response Workflow
Discovery Phase
Reporting a Potential Security Vulnerability
We welcome reports from independent researchers, industry organizations, vendors, and customers. To find out more information on how to report a potential vulnerability, please visit Vulnerability Reporting.
Bug Bounty Program
At the moment, Honeywell does not participate in a bug bounty program or provide any monetary incentives for discovering vulnerabilities. Honeywell does recognize reporters and security researchers on our public acknowledgement page.
Triage Phase
In this phase, an incident owner is assigned to the case.
Analysis Phase
The analysis phase entails assessing and validating the security concern by conducting thorough analysis.
Common Vulnerability Scoring System (CVSS)
We use the Common Vulnerability Scoring System version 3.1 (CVSS v3.1) to evaluate the severity level of identified vulnerabilities. This enables a common scoring method and a common language to communicate the characteristics and impacts of vulnerabilities and allows responders to prioritize responses and resources according to the threat.
Severity rating scale as shown in the table below:
Security Impact Rating | CVSS Score |
Critical | 9.0 – 10.0 |
High | 7.0 – 8.9 |
Medium | 4.0 – 6.9 |
Low | 1.0 – 3.9 |
When and where applicable, Honeywell will provide the CVSS v3.1 Base Score.
We recommend consulting a security or IT professional to evaluate the risk of your specific configuration and we encourage users to compute the environmental score based on their network parameters. We also recommend leveraging a security or IT professional’s assessment of the issue to prioritize responses in your own environment.
Different base scores
There may be instances where NVD’s score and Honeywell's score may differ. If so, this is because as owners of the product we are able to account for configurations, build, and other nuisances of the product. In the event the score differs, please use the Honeywell base score.
Disposition and Communication Phase
Remediation timelines will depend on many factors, including: the severity, the product affected, the current development cycle, QA cycles, and whether the issue can only be updated in a major release.
Remediation may take one or more of the following forms:
- A new release
- A Honeywell-provided patch
- Instructions to download and install an update or patch from a third-party
- A workaround to mitigate the vulnerability
Notwithstanding the foregoing, we do not guarantee a specific resolution for issues and not all issues identified may be fixed.
Communication and Notification
At this point in time a communication plan is determined. Below are various forms of communication.
Forms of Communication | Description |
Security Notice | May be released to notify customers when a vulnerability is fixed. |
Product Release Note/Update | Release notes may be used to communicate a launch of a new software/hardware product or a product update and may include latest changes, feature enhancements, or bug fixes/patches. |
CVE Records | Records are released to inform stakeholders about specifics regarding the vulnerability discovered. The records may include information such as Common Vulnerability Enumeration (CVE) ID number, description of the security vulnerability, and references associated with the vulnerability such as vulnerability reports and advisories. |
Media Statements | May be used to address any Honeywell related news or incidents. |
End of Service Life Notice | An EOSL notice may be released to inform a Honeywell customer that the product will no longer be supported or sold. |
Disclosure Phase
Notifying Customers of Vulnerability
We take responsibility to ensure that our customers are notified, when necessary, in an efficient manner. Most communication will be posted after patches or workaround has been released on our Security Notice site.
We will not provide additional information about the specifics of vulnerability or how to reproduce. We do not distribute exploit or proof of concept code for identified vulnerabilities.
In accordance with industry practices, we do not share our findings from internal security testing or other types of security activities with external entities. It is important to note that any unauthorized scan of our services and production systems will be considered an attack.
Coordinated Vulnerability Disclosure
Coordinated Vulnerability Disclosure (CVD) is indeed a crucial process in managing and mitigating vulnerabilities in hardware, software, and services. Honeywell's approach to CVD involves engaging with various stakeholders such as partners, vendors, researchers, and community coordinators to ensure that newly discovered vulnerabilities are disclosed in a controlled and coordinated manner. Multi-party coordination is essential because it helps in understanding the different parties' vulnerability disclosure policies, handling policies, and contractual agreements, which in turn fosters trusted communication and collaboration.
By increasing transparency between parties, vendors can better understand and manage the risks posed by vulnerabilities. This transparency also facilitates engagements with other parties, ensuring that everyone involved is on the same page. The primary aim of CVD is to provide timely and consistent guidance to all parties and customers, helping them protect themselves effectively.
Honeywell follows a similar approach to CVD. They encourage independent reporters who discover vulnerabilities to contact them directly, allowing Honeywell to investigate and remediate the vulnerabilities before they are publicly disclosed. The Product Security Incident Response Team (PSIRT) coordinates with the reporter throughout the investigation and provides updates on progress. Once an update or mitigation information is publicly released, the reporter is welcome to discuss the vulnerability publicly.
This process not only helps in protecting customers but also ensures that public disclosures are coordinated appropriately, and reporters are acknowledged for their findings. If a reported vulnerability involves a vendor product, the PSIRT will notify the vendor directly, coordinate with the reporter, or engage a third-party coordination center.
For more information on CVD, please review the information provided in the following links:
Report a Vulnerability Issue
We encourage coordinated disclosure of security vulnerabilities. Security researchers, industry groups, government organizations and vendors can report potential security vulnerabilities to Honeywell by choosing one of the two vulnerability types in the form below or by emailing us with below details mentioned.
If the vulnerability affects a product, service or solution, email us at PSIRT@honeywell.com, with the following instructions/details:
- Please encrypt using Honeywell’s public PGP key (see PGP Key page) and include the following:
- Product and version
- Description of the potential vulnerability
- Any special configuration required to reproduce the issue
- Step by step instructions to reproduce the issue
- Proof of concept or exploit code, if available
- Potential Impact
For all other security issues, email us at Security@honeywell.com with the following instructions.
- Please encrypt using Honeywell’s public PGP key (see PGP Key page) and include the following:
- Website URL or location
- Type of vulnerability (XSS, Injection, etc.)
- Instructions to reproduce the vulnerability
- Proof of concept or exploit code, including how an attacker could exploit the vulnerability
- Potential impact
PGP Key
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
mQENBE/Z+NYBCAC/++sRC1JFlk1oMMDgl5jxhhh3U+MzTDLiBjHcCeJ4OmBiGRck
LljhZc0oW8SMd2JW0KjtEa0lKW8JIQHWBRjnGPudT8A/Y/3RW/Rx60dTvvUvt6ux
IqWmYDoe3B2aTNJmiQZobKwG5uxq0hKhQmTGsmqBWd9jWJT3lopjR7YPzuI3rWjq
m8DKaz+0JEs0hbPiO5mnID48NaTQvFb5tCySrnOaJIPHAwPtcfz8WWR3wDh3HX6N
sQOohiYs0lcxxF/klycMfgSaOd4KCvMuvvyYzsAgqAc2cyI41SAWhM0t4/7sGVsM
6QkOEQL7oM37fKpynKZoNqVQS43i5vEQXKhTABEBAAG0I0hvbmV5d2VsbCBDSVJU
IDxjaXJ0QGhvbmV5d2VsbC5jb20+iQFyBBABAgBcBQJP2fjWMBSAAAAAACAAB3By
ZWZlcnJlZC1lbWFpbC1lbmNvZGluZ0BwZ3AuY29tcGdwbWltZQgLCQgHAwIKAQIZ
AQUbAwAAAAUWAAMCAQUeAQAAAAYVCAkKAgMACgkQNyARPx/t4AdyoQf+LlUiTv20
VT5Hwbwm4CYxELzjlDaIsDS5DBFAY//gVcaC3J2CW/JeDSvDcBahePADVYI8N3Mk
fo2IPW4G7riB1OvBm8INELEVnDpFgTMffcLtHyyJHdolO7MKNGp/1zZxHriEci6K
22v6GT8TluEA9R6pKA7SI/lbVCxDe53CPzm7rQhxLFr2GJ3YKqvJ8C1OW06+fPDZ
U+nx80X+MIXMJ0+i+i1RS4TVK1chx6MWtkWRPBh022a7q5Ub19ox2osNavwE/gIs
sMcK2UCZKrphavAbh2YGvPl6UA16lIDwSwMZZ32Di/QcXPfZmBqmJxSs88lQmk5X
4AKpkknAGb7IY7kBDQRP2fjWAQgA2t9nKv8aoyHQFdu2mFDzxCaBNNgZggoUJjkr
80ahYphP4gMO/R1N6rUEDoRefzGKwG6l8Vn4yQs3wWl3VWLSBRswmUFa9GITiJnq
rfJOmw/JZlvqCbh5otGS2/irRb0IOYDn8/OPtN6H47pIfhCuMUEYNoYZ4Y1Vo4oA
JIbk7/R1IWnlUTGACvgIITDna0Xx2UF9Tlen7AQvMXilonaZhzFaou2abYYGbNWg
IH8F2m6bd43CK6lM1Bda0wPZFyOmAlbpkDg3xcTJj/ikqC4w3QrLV1RzIL+wQJQ3
QsJIrMMFRLVxSWjVR84OfXplCFNFG5zneNuyWBVH4+yo87ZrAwARAQABiQJBBBgB
AgErBQJP2fjXBRsMAAAAwF0gBBkBCAAGBQJP2fjWAAoJEO+/PWqvM/9ITYEH/3rC
m8tVUcM5rwKluGGRKm2OFlpL5UAN9GDB0yAYbgCPYX4HZPJFDb5eErOrPAsAX3JF
gfYRP1c0C+wkH6FRnINRRl5GTA3rlaoupPb6fVplgNOSPoRYoP76LaCE0RABrs0X
4j1r8cfCnWF50xS1sLIY2S8NCrXZKDnPGIpAAMvnO7FZY7DDzFHltSp+cM5EfheL
wz6dACrbZmo3V6MWaFHxEJaMwzry/IHx8Y0adQ0IuPzESJhOb2KA42oxEekYgNcT
jZaXVOg592rFmeVMiH+kZ6AqpOWPbSgLY9SA4UZ7wS3uzObk2WWHtE2tXodBKnV8
x+XfhPwIPL/clezxl6QACgkQNyARPx/t4AfiHgf/cahQSIQ3Z8vV4oGPdgQZT7zH
h1nQr5mP/9dMkeGYqUwzkRfKLtfSrNIIyq3sOX0TI0b13sHJ/bsys1bPurRMo9QZ
E/XBRunn0kikKlqIwGroufJooV7rWTQs01npsgjEtBVsLs/xrGZ6OIB5UZDVG650
aeLBIivRYBy9buIP/ouxKk5C5zTBIQ00Rk7eN/guoxanlrD4wNhzsw/U9SDI8gIH
ghiIG8KhyeSefQVoT7+d1NF5qEcghHIutzpSv33GaPuegvOkqXrsPC2q1w949+Im
jcqS6tU4SKYsAeZUro95QhATQGVuANyit9REk68syv8Ke0JcrvrhIj5Qu93LnQ==
=dpgO
-----END PGP PUBLIC KEY BLOCK-----
Acknowledgments
We would like to acknowledge all individuals who have reported a vulnerability in our environment. We are grateful for these security researchers who help keep us secure.
REPORTERS NAME | ASSOCIATION LINK | |
---|---|---|
Abian Blome | https://www.siemens-energy.com/ | |
Alexander Heck | https://www.linkedin.com/in/alexander-heck-b11b29b | |
Dawid Lenart | https://pl.linkedin.com/in/dawid-lenart-a28a48143 | |
Eaton Zveare/Traceable ASPEN | https://www.linkedin.com/in/eatonz | |
Felipe Gabriel Renzi | linkedin.com/in/felipe-gabriel-renzi | |
Lockheed Martin Red Team | ||
Michael Messner | https://www.siemens-energy.com/ | |
Mohammed Alotibi | https://www.linkedin.com/in/mohammed-a-73790a17a | |
Nikhil Rane | https://www.linkedin.com/in/nikhil-rane-31733a217/ | |
Pavel Sushko | https://www.linkedin.com/in/pavel-sushko/ | |
Rahul Ramakant Singh | https://www.linkedin.com/in/rahul-singh-5604b1135 | |
Qusai Alhaddad | https://www.linkedin.com/in/qusaialhaddad | |
Sagar Yadav | https://twitter.com/sagaryadav8742 | |
Shivani Gundluru | https://www.linkedin.com/in/shivani-gundluru-a45b43212 | |
Tushar Jaiswal | https://linkedin.com/in/the-tushar-jaiswal |
REPORTERS NAME | ASSOCIATION LINK | |
---|---|---|
Digant Prajapati | https://www.linkedin.com/in/digant-prajapati/ | |
Foysal Ahmed Fahim | https://www.linkedin.com/in/foysal1197, https://twitter.com/foysal1197 | |
George Gkanidis | https://twitter.com/Jocker_RL | |
Girish B O | https://www.linkedin.com/in/girish-b-o-a410bb1bb, https://twitter.com/Girishbo05 | |
Mahmoued Elhussiny | https://www.linkedin.com/in/mahmoued-elhussiny-aa9b5881/ | |
Nikhil Rane | https://www.linkedin.com/in/nikhil-rane-31733a217 | |
Pavel Marko | ||
Rakan Abdulrahman Al-Khaled * | https://www.linkedin.com/in/rakan-al-khaled | |
Roshan Zameer | https://www.linkedin.com/mwlite/in/roshan-zameer-97a8531b9 | |
Suprit S Pandurangi | https://www.linkedin.com/in/suprit-pandurangi-a90526106 |
REPORTERS NAME | ASSOCIATION LINK | |
---|---|---|
Aniket Anil Deshmane* | https://twitter.com/AniketDeshmane9?s=08 | |
Armanul Miraz | @mirazdevox | |
Ben Leonard-Lagarde | ||
Carl Dworzack | ||
Danish Tariq | https://www.linkedin.com/in/danishtariqq/ | |
Harinder Singh | https://www.linkedin.com/in/lambardar | |
Husain Murabbi (cyber_humans) | https://www.linkedin.com/in/husain-murabbi-cyberhumans/ | |
Joel Sanchez | https://www.linkedin.com/in/joel-sanchez-199b79123/ | |
Joost Bakker | BovenIJ ziekenhuis | |
Martino Tommasini | ||
Mansoor Rangwala (cyber_humans) | https://www.linkedin.com/in/mansoor-rangwala-cyberhumans/ | |
Netan Mangal* | https://www.linkedin.com/in/netanmangal | |
Pratik Sunil Tryambake | ||
Rajnish Kumar Gupta | https://www.linkedin.com/in/geekyrajnish | |
Rick de Jager | https://github.com/RickdeJager | |
Swapnil Maurya | @swapmaurya20 | |
Thilo Mohri | https://www.linkedin.com/in/tmohri/ | |
Todd Heflin | www.linkedin.com/in/taterbrown | |
Tracy Williams | https://www.linkedin.com/in/battletroll/ | |
Vinayak Chaturvedi | https://www.linkedin.com/in/vinayak-chaturvedi-348b071a1 |
REPORTERS NAME | ASSOCIATION LINK | |
---|---|---|
Alberto Perez Agudo | ||
Athul Jayaram | https://www.linkedin.com/in/athuljayaram | |
Dominique van Dorsselaer | ||
GwanYeong Kim | @sec_karas | |
Jan Kopriva | https://www.linkedin.com/in/jan-kopriva/ | |
Mohammed Adam | https://www.linkedin.com/in/mohammedadam24/ | |
Rahul Gamit | https://www.linkedin.com/in/rahul-gamit-54a93a188/ | |
Ramkumar Ganesan | https://www.linkedin.com/in/ram-kumar94 | |
Ronak Nahar | https://www.linkedin.com/in/naharronak/ | |
Sreekanth Reddy | https://twitter.com/sree_appsec | |
Sumit Grover | @sumgr0 |
REPORTERS NAME | ASSOCIATION LINK | |
---|---|---|
Abhishek Misal | http://www.linkedin.com/in/abhishek-misal | |
B. Dhiyaneshwaran | ||
Bill Ben Haim |
https://www.linkedin.com/in/bill-ben-haim-b6775a48/ | |
Kapil Kulkarni* |
https://www.linkedin.com/in/kapil-kulkarni-oscp-ceh-chfi-5a333763/ | |
Mohamed Hamed | https://www.linkedin.com/in/mohamed-hamed-239378163/ | |
Nitish Shah | https://twitter.com/iamNitishShah | |
Pethuraj M | https://www.pethuraj.in/ | |
Udhaya Prakash C* | @Udhaya_ISRO | |
Utkarsh Agrawal | https://twitter.com/agrawalsmart7 | |
Vijiln | @vijiln |
* Indicates multiple submissions
Below is a list of published Honeywell Security Notices. Honeywell recommends following the guidance provided in these Notices regarding mitigations to described security issues.
If you are a customer looking for Security Notifications regarding Honeywell Process Solutions (HPS) products, please click here.
Title/ SN ID # | Affected Product/Product Family | CVE/ICSA | Severity | Published | Last Updated |
Asure ID Software Removal 2024-07-01 01 |
Niagara EntSec from 4.10u8 and 4.13u3 | NA | NA | 2024-07-01 | 2024-07-01 |
Niagara libwebp Vulnerability 2024-01-09 01 |
Mulitple Niagara Framework, Niagara EntSec versions | CVE-2023-4863 | Medium | 2024-01-09 | 2024-07-01 |
Spring4Shell NO IMPACT 2022-04-09 01 |
Niagara Framework and Niagara EntSec | CVE-2022-22963 | NA | 2022-04-09 | 2023-05-31 |
Niagara MQTT Driver Vulnerability 2022-03-14 01 |
Mulitple Niagara Framework, Niagara EntSec versions | NA | Medium | 2022-03-14 | 2023-05-31 |
Niagara Hx Profile Vulnerability 2022-02-11 01 |
Mulitple Niagara Framework, Niagara EntSec versions | NA | Medium | 2022-02-11 | 2023-05-31 |
Niagara log4j NO IMPACT 2021-12-13 01 |
Niagara Framework and Niagara EntSec | CVE-2021-44228 | NA | 2021-12-13 | 2021-12-13 |
Niagara QNX BadAlloc, Privilege Escalation, and JxBrowser Vulnerabilities 2021-09-09 01 |
Mulitple Niagara Framework, Niagara EntSec versions, and QNX based products | CVE-2021-22156 | Medium | 2021-09-09 | 2021-12-13 |
Niagara JNLP/Web Start Vulnerability 2021-03-31 01 |
Mulitple Niagara Framework, Niagara EntSec versions | NA | Medium | 2021-03-31 | 2021-12-13 |
Niagara TLS Timeout Vulnerability 2020-07-28 01 |
Niagara 4.6, 4.7, 4.8; Niagara EntSec 2.4, 4.8 | CVE-2020-14483 | Medium | 2020-07-28 | 2020-12-21 |
Niagara Ripple20 NO IMPACT 2020-06-30 01 |
Niagara JACE-8000, Edge10 | ICSA-20-168-01 | NA | 2020-06-30 | 2020-12-21 |
Niagara JRE and Bouncycastle fixes 2020-02-26 01 |
Niagara AX 3.8, Niagara EntSec 2.3 | NA | NA | 2020-02-26 | 2020-12-21 |
Niagara QNX Vulnerabilities (Niagara Software) 2019-08-27 01 |
Niagara AX 3.8u4, Niagara 4.4u3, Niagara 4.7u1 | NA | High, Medium | 2019-08-27 | 2020-07-06 |
Niagara QNX Vulnerabilities (Niagara EntSec Software) 2019-08-23 01 |
Niagara EntSec Products | NA | NA | 2019-08-23 | 2020-07-06 |
Niagara Chromium Vulnerability 2019-05-09 01 |
Niagara 4.4u2, 4.6, 4.7 | CVE-2019-5786 | High | 2019-05-09 | 2020-07-06 |
Niagara Framework Guidelines | Niagara Framework Products | NA | NA | 2019-05-10 | 2020-07-06 |
Niagara Cross-Site Scripting Vulnerability 2018-11-12 01 |
Niagara AX 3.8u4, Niagara 4.4u2, Niagara 4.6, Niagara EntSec 2.3u1 | NA | Medium | 2018-11-12 | 2019-02-05 |
Update Release for Niagara AX and Niagara 4 2018-06-01 01 |
Niagara AX 3.8, Niagara 4.4 | NA | NA | 2018-06-01 | 2019-02-05 |
Tridium Wi-Fi WPA/2 Protocol Vulnerabilities 2017-10-16 01 |
JACE 8000, Jace 700 | 10 CVEs | Varies | 2017-10-16 | 2018-08-06 |
Goldeneye/Petya, WannaCrypt/WannaCry Resource | All Niagara Products | Multiple | Varies | 2017-05-01 | 2018-08-06 |
Niagara Hardening Guide Against WannaCry Vulnerabilities | Niagara Framework and Niagara EntSec | Multiple | Varies | 2017-05-01 | 2018-08-06 |
Niagara POODLE SSLv3 Vulnerability 2014-10-21 01 |
All Niagara Products | CVE-2014-3566 | Critical | 2014-10-21 | 2018-08-06 |
Tridium Shellshock Vulnerability NO IMPACT 2014-09-30 01 |
All Tridium Products | NA | NA | 2014-09-30 | 2018-08-06 |
Tridium Heartbleed Vulnerability NO IMPACT 2014-04-10 01 |
All Tridium Products | NA | NA | 2014-04-10 | 2018-08-06 |
MPA2 Web Application XSS 2024-03-08 01 |
MPA2 vR1.00.08.05 | CVE-2023-1841 | High | 2024-03-08 | 2024-03-08 |
HW OmniClass/iClass Encoder Secure Channel Downgrade 2024-01-31 01 |
HW OmniClass 2.0 Contactless Smart, Multi-Technology, and BLE Readers, HID iCLASS® SE™ CP1000 Encoder, HID® iCLASS® SE™ and OMNIKEY® Secure Elements, Third-party products that use HID’s OEM module for reading HID cards | CVE-2024-23806 CVE-2024-22338 |
High | 2024-01-31 | 2024-01-31 |
Voice Console XSS 2023-12-20 02 |
Voice Console v5.6.2, v5.6.3 | CVE-2023-6590 | Medium | 2023-12-20 | 2023-12-20 |
HVoice Console Blind SQL Injection 2023-12-20 01 |
Voice Console v5.6.2, v5.6.3 | NA | High | 2023-12-20 | 2023-12-20 |
PM23/43 Command Injection 2023-08-01 01 |
PM23/43 Printers | CVE-2023-3710 | Critical | 2023-09-12 | 2023-09-12 |
PM23/43 Session ID Vulnerability 2023-08-02 01 |
PM23/43 Printers | CVE-2023-3711 | High | 2023-09-12 | 2023-09-12 |
PM23/43 Privilege Escalation Vulnerability 2023-08-03 01 |
PM23/43 Printers | CVE-2023-3712 | High | 2023-09-12 | 2023-09-12 |
Command Injection HDZP252DI 2022-01-26 01 |
Camera Model HDZP252DI | CVE-2021-39363 | Medium | 2022-01-26 | 2022-01-26 |
Video Replay Vulnerability HBW2PER1 2022-01-26 02 |
Camera Model HBW2PER1 | CVE-2021-39364 | Medium | 2022-01-26 | 2022-01-26 |
HBT Apache Log4j Vulnerability 2021-HBT-12-14 01 V2 |
Apache Log4j Libraries | CVE-2021-44228 CVE-2021-45046 |
Critical | 2021-12-16 | 2021-12-16 |
SPS Apache Log4j Vulnerability 2021-SPS-12-14 01 V2 |
Apache Log4j Libraries | CVE-2021-44228 CVE-2021-45046 CVE-2021-45105 |
Critical | 2021-12-16 | 2021-12-22 |
Honeywell Security UK LTD Battery Compliance 2021-09-20 01 |
Honeywell Security UK Ltd Battery Products | NA | NA | 2021-09-20 | 2021-09-20 |
Wi-Fi Vulnerabilities (Frag Attacks) | Wi-Fi Devices | NA | Varies | 2020-08-15 | 2020-08-15 |
Mobility Products RCE and DOS Vulnerabilities 2020-08-14 01 |
Thor VM1A, Thor VM3A, CK65, CN80, CN80G, CN85, CT40, CT60, EDA60K, EDA51, EDA71, EDA61K | CVE-2020-11201 CVE-2020-11202 CVE-2020-11206 CVE-2020-11207 CVE-2020-11208 CVE-2020-11209 |
High | 2020-08-14 | 2020-08-14 |
Ripple20 Vulnerability 2020-07-17 01 |
RL 3/4, RL 3e/4e, RP 2/4, E-Class, I-Class, MP Compact MkIII, A-Class, H-Class, M-Class, PB 21/22/31/32, PB 50/51, PR2/3, PD42, PM4i, PX4i, PX6i | ICSA-20-168-01 | High | 2020-07-17 | 2020-07-17 |
Ripple20 NO IMPACT Notification 2020-07-02 01 |
Honeywell Commercial Security Video Products | NA | NA | 2020-07-02 | 2020-07-02 |
Kr00k NO IMPACT Notification 2020-03-03 01 |
Honeywell Productivity Products | CVE-2019-15126 | NA | 2020-03-03 | 2020-03-03 |
Unauthenticated RCE via unsafe binary deserialization and Unauthenticated Remote arbitrary SQL command injection 2019-10-25 01 |
MAXPRO VMS HNMSWVMS, MAXPRO VMS HNMSWVMSLT, MAXPRO NVR XE, MAXPRO NVR SE, MAXPRO NVR PE, MAXPRO NVR MPNVRSWXX | CVE-2020-6959 CVE-2020-6960 ICSA-20-021-01 |
High | 2019-10-25 | 2019-10-25 |
IP Camera DoS Vulnerability 2019-09-13 01 |
equIP® Series Cameras: H4L2GR1, HBL2GR1, HCL2G, H4W2GR1, H4W2GR2, H4W4GR1, H3W2GR1, H3W2GR2, H3W4GR1, HBW2GR1, HBW4GR1, HBW2GR3, HCW2G, HCW4G | CVE-2019-18228 ICSA-19-304-02 |
High | 2019-09-13 | 2019-09-13 |
IP Camera and Recorder Replay Attack Vulnerability 2019-09-13 02 |
equIP® Series Cameras, Performance Series Cameras, Recorders | CVE-2019-18226 ICSA-19-304-04 |
High | 2019-09-13 | 2019-09-13 |
IP Camera Unauthenticated Access to Audio Vulnerability 2019-09-04 01 |
equIP® Series Cameras, Performance Series Cameras | CVE-2019-18230 ICSA-19-304-03 |
High | 2019-09-04 | 2019-09-04 |
IP Camera/NVR Configuration Data Information Disclosure Potential Vulnerability 2019-04-30 01 |
Performance IP Series Cameras, Performance Series NVRs | CVE-2019-13523 ICSA-19-260-03 |
Medium | 2019-04-30 | 2019-04-30 |
Android OS Privilege Elevation Vulnerability 2018-09-18 01 |
CT60, CN80, CT40, CK75, CN75, CN75e, CT50, D75e, CN51, EDA50k, EDA50, EDA70, EDA60k, EDA51 | CVE-2018-14825 ICSA-18-256-01 |
High | 2018-09-13 | 2018-09-13 |
Processor Vulnerabilities (Spectre and Meltdown) 2018-04-19 01 |
CN75, CN75e, CK75, CV41, CV31, CV61, D99 SERIES, CK3R, CK3X, CN70, CN70e, CK70, CK71, Tecton, AND Various Dolphin, Thor, and Talkman Products | CVE-2017-5754 CVE-2017-5753 CVE-2017-5715 |
Critical | 2018-04-19 | 2018-04-19 |
Wi-Fi Vulnerability KRACK 2017-12-04 01 |
70+ Honeywell Productivity Products (WPA2 vulnerability) | 10 CVEs | Varies | 2017-12-04 | 2017-12-04 |
BlueBorne Vulnerability 2017-11-13 01 |
Honeywell Productivity Products with Bluetooth Capability | 8 CVEs | Varies | 2017-11-13 | 2017-11-13 |
Experion Controller and SMSC S300 Modification Vulnerabilities ICSA-24-116-04 | Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, Safety Manager SC | 16 CVEs | Varies | 2024-04-05 | 2024-04-05 |
Honeywell Softmaster Uncontrolled Search Path Vulnerability ICSA-22-256-02 | Softmaster Products | CVE-2022-2333 CVE-2022-2332 |
High | 2022-09-13 | 2022-09-13 |
ControlEdge Hard-coded Credentials ICSA-22-242-06 | ControlEdge Products | CVE-2022-30318 | Critical | 2022-08-30 | 2022-08-30 |
Experion LX Missing Auth for Critical Function ICSA-22-242-07 | Experion LX Products | CVE-2022-30317 | Critical | 2022-08-30 | 2022-08-30 |
IQ Series Cleartext Transmission Vulnerability ICSA-22-242-08 | IQ Series Controllers | CVE-2022-30312 | High | 2022-08-30 | 2022-08-30 |
Saia Burgess PG5 Auth Bypass and Use of Broken Cryptographic Algorithm ICSA-22-207-03 | Saia Burgess PG5 PCD Products | CVE-2022-30319 CVE-2022-30320 |
High | 2022-07-28 | 2022-07-28 |
Safety Manager Missing Auth, Use of Hard-coded credentials, and Insufficient Verification of Data Authenticity ICSA-22-207-02 | Honeywell Safety Manager Products | CVE-2022-30315 CVE-2022-30313 CVE-2022-30316 CVE-2022-30314 |
High | 2022-07-26 | 2022-07-26 |
Experion PKS Path Traversal, Unrestricted Upload, and Improper Neutralization of Special Elements in Output Vulnerabilities ICSA-21-278-04 | Experion PKS C200, C200E, C300, ACE Controllers | CVE-2021-38397 CVE-2021-38395 CVE-2021-38399 |
Critical | 2021-10-05 | 2021-10-05 |
OPC UA Heap-Based Buffer Overflow, Out-of-Bounds Read, Improper check, and Uncontrolled Resource Consumption Vulnerabilities ICSA-21-021-03 | OPC UA Tunneller versions prior to 6.3.0.8233 | CVE-2020-27297 CVE-2020-27299 CVE-2020-27274 CVE-2020-27295 |
Critical | 2021-01-21 | 2021-01-21 |
ControlEdge Cleartext Transmission Vulnerabilites ICSA-20-175-02 | ControlEdge PLC R130.2, R140, R150, R151. ControlEdge RTU R101, R110, R140, R150, R151 | CVE-2020-10628 CVE-2020-10624 |
Medium | 2020-06-23 | 2020-06-23 |
WIN-PAK CSRF, Improper Neutralization of HTTP Headers, and Use of Obsolete Function Vulnerabilities ICSA-20-056-05 | WIN-PAK 4.7.2 Web and Prior Versions | CVE-2020-7005 CVE-2020-6982 CVE-2020-6978 |
High | 2020-02-25 | 2020-02-25 |
NWS Authentication Bypass and Path Traversal Vulnerabilities ICSA-20-051-03 | Notifier Web Server (NWS) Version 5.50 and prior | CVE-2020-6972 CVE-2020-6974 |
Critical | 2020-02-20 | 2020-02-20 |
INNControl 3 Improper Privilege Management Vulnerability ICSA-20-049-01 | INNCOM INNControl 3 Version 3.21 and prior | CVE-2020-6968 | Medium | 2020-02-19 | 2020-02-19 |
Experion PKS Heap-Based Buffer Overflow, Stack-Based Buffer Overflow, Arbitrary Memory Write, Directory Traversal, and File Inclusion Vulnerabilities ICSA-14-352-01 | Experion PKS R40x prior to R400.6, Experion PKS R41x prior to R410.6, Experion PKS R43x prior to R430.2 | CVE-2014-9187 CVE-2014-9189 CVE-2014-5435 CVE-2014-5436 CVE-2014-9186 |
Varies | 2019-04-10 | 2019-04-10 |
FALCON XSS and File Access to External Parties Vulnerabilities ICSA-14-175-01 | FALCON Linux 2.04.01 and prior, FALCON XLWebExe 2.02.11 and prior | CVE-2014-2717 CVE-2014-3110 |
Medium | 2014-06-24 | 2018-09-06 |
EBI, SymmetrE, and ComfortPoint Improper Input Validation Vulnerability ICSA-13-053-02A | EBI R310, R400.2, R410.1, R410.2. SymmetrE R310, R410.1, R410.2, CPO-M R100 | CVE-2013-0108 | Medium | 2013-02-22 | 2018-09-06 |
HMIWeb Browser Buffer Overflow Vulnerability ICSA-12-150-01 | Multiple Experion, Enterprise Building Manager, Honeywell Environmental Combustion and Controls Products, and Symmetre R400, R410.1 | CVE-2012-0254 | Medium | 2012-03-09 | 2018-09-06 |
HART DMT Improper Input Validation Vulnerability ICSA-15-029-01 | Multiple HART DMT Libraries | CVE-2014-9191 | Low | 2018-08-29 | 2018-08-29 |
Midas Path Traversal and Cleartext Transmission Vulnerabilities ICSA-15-309-02 | Midas Version 1.13b1 and prior, Midas Black 2.13ba and prior | CVE-2015-7907 CVE-2015-7908 |
Critical | 2018-08-27 | 2018-08-27 |
Experion PKS Directory Traversal Vulnerability ICSA-15-272-01 | Experion PKS 310.x and prior | CVE-2007-6483 | Critical | 2018-08-27 | 2018-08-27 |
XL Web Controller Path Traversal Vulnerability ICSA-15-076-02 | Multiple XLWeb Controller Versions | CVE-2015-0984 | Critical | 2018-08-27 | 2018-08-27 |
Uniformance Stack-based Buffer Overflow Vulnerability ICSA-16-070-02A | Uniformance PHD versions prior to R310.1.1.2, R320.1.0.2, and R321.1.1 | CVE-2016-2280 | High | 2016-04-12 | 2018-08-23 |
XL Web II Controller Password Exposure Vulnerabilities ICSA-17-033-01 | XL1000C500 XLWebExe-2-01-00 and prior, XLWeb 500 XLWebExe-1-02-08 and prior | CVE-2017-5139 CVE-2017-5140 CVE-2017-5141 CVE-2017-5142 CVE-2017-5143 |
Critical | 2017-02-02 | 2017-02-02 |
Experion PKS Improper Inout Validation Vulnerability ICSA-16-301-01 | Multiple Experion PKS Products | CVE-2016-8344 | Low | 2016-10-27 | 2016-10-27 |
ScanServer ActiveX Control Vulnerability ICSA-11-103-01A | ScanServer ActiveX Control Version 780.0.20.5 that is packaged with all SymmetrE Versions | NA | NA | 2011-04-13 | 2014-03-13 |
TEMA Remote Installer ActiveX Vulnerability ICSA-11-285-01 | EBI R310.1 - TEMA 4.8, 4.9, 4.10. EBI R400.2 SP1 - TEMA 5.2. EBI R410.1 - TEMA 5.3.0. EBI R410.2 - TEMA 5.3.1 | NA | NA | 2013-04-30 | 2013-04-30 |
MAXPRO NVR Computer: Intel® Chipset Uncontrolled Search Path Element Vulnerability 2024-06-25 01 |
MAXPRO SE NVR Rev D, XE NVR Rev D with Intel® Chipset Device Software before version 10.1.19444.8378 | CVE-2023-28388 | Medium | 2024-06-25 | 2024-06-25 |
HID Mercury Intelligent Controller Command Injection, Unauthenticated Firmware, Buffer Overflow, Path Traversal Vulnerabilities 2022-06-02 01 |
LenelS2 Products integrated with HID Mercury Intelligent Controllers: LNL-X2210, LNL-2220, LNL-X3300, LNL-X4420, LNL-4420, S2-LP-1501, S2-LP-1502, S2-LP-2500, S2-LP-4502 | CVE-2022-31479 CVE-2022-31480 CVE-2022-31481 CVE-2022-31482 CVE-2022-31483 CVE-2022-31484 CVE-2022-31485 CVE-2022-31486 |
Critical | 2022-06-02 | 2022-06-02 |
LenelS2 OnGuard Client Authentication Bypass Vulnerability 2022-11-30 01 |
OnGuard Versions 7.5, 7.6, 8.0, 8.1 | CVE-2022-37026 | Critical | 2022-11-30 | 2022-11-30 |
LenelS2 NetBox MOD_PROXY SSRF Vulnerability 2023-03-16 01 |
NetBox, NetBox Global, VRx, NetVR, Converged NetBox/VR, NetBox VRx, Quatro Products | CVE-2021-40438 | Critical | 2023-03-16 | 2023-03-16 |
MASmobile Classic Authorization Bypass Vulnerability 2023-06-15 01 |
MASmobile Classic | CVE-2023-36483 | Medium | 2023-06-15 | 2023-06-15 |
LenelS2 NetBox Hardcoded Credentials and Unauthenticated/authenticated RCE Vulnerabilities 2024-05-24 01 |
NetBox Products | CVE-2024-2420 CVE-2024-2421 CVE-2024-2422 |
Critical | 2024-05-24 | 2024-05-24 |
LenelS2 NetBox Supply Chain Attack 2024-08-05 01 |
NetBox, VRx, NetVR Products | NA | NA | 2024-08-05 | 2024-08-05 |
Honeywell Experion PKS, LX, and PlantCruise Heap and Stack-based Overflow, Unexpected Code Status, Uncontrolled Resource, Improper Encoding, Incorrect Comparison, and other data vulnerabilities ICSA-23-194-06 |
Experion PKS, LX, and PlantCruise versions prior to R520.2 | 9 CVEs | Critical | 2023-07-13 | 2023-07-13 |
Honeywell OneWireless Command Injection, Insufficient Random Values, and Missing Auth Vulnerabilities ICSA-23-075-06 |
OneWireless Versions up to R322.1 | CVE-2022-43485 CVE-2022-46361 CVE-2022-4240 |
Critical | 2023-03-16 | 2023-03-16 |
Honeywell IP-AK2 Missing Auth. Vulnerability ICSA-19-297-02 |
IP-AK2 Access Control Panel Version 1.04.07 and prior | CVE-2019-13525 | Medium | 2019-10-24 | 2019-10-24 |