/content/honeywellbt/us/en/search.html
    title
    subtitle

    Product Security

    MENU

    Product Security Incident Response Team (PSIRT)

    The goal of our Product Security Incident Response Team (PSIRT) is to minimize customers’ risk associated with security vulnerabilities by providing timely information, guidance and remediation of vulnerabilities in our products, including software and applications, hardware and devices, services and solutions. This team manages the receipt, investigation, internal coordination, remediation and disclosure of security vulnerability information related to Honeywell offerings. 

    We take security concerns seriously and work to quickly evaluate and address them. Once a security concern is reported, we commit the appropriate resources to analyze, validate, and address the issue. 

    Product Security Incident Response Workflow

    Discovery Phase

    Reporting a Potential Security Vulnerability

    We welcome reports from independent researchers, industry organizations, vendors, and customers. To find out more information on how to report a potential vulnerability, please visit  Vulnerability Reporting.

    Bug Bounty Program

    At the moment, Honeywell does not participate in a bug bounty program or provide any monetary incentives for discovering vulnerabilities. Honeywell does recognize reporters and security researchers on our public acknowledgement page.

    Triage Phase

    In this phase, an incident owner is assigned to the case.

    Analysis Phase

    The analysis phase entails assessing and validating the security concern by conducting thorough analysis.

    Common Vulnerability Scoring System (CVSS)

    We use the Common Vulnerability Scoring System version 3.1 (CVSS v3.1) to evaluate the severity level of identified vulnerabilities. This enables a common scoring method and a common language to communicate the characteristics and impacts of vulnerabilities and allows responders to prioritize responses and resources according to the threat.

    Severity rating scale as shown in the table below:

    Security Impact Rating CVSS Score
    Critical 9.0 – 10.0
    High 7.0 – 8.9
    Medium 4.0 – 6.9
    Low 1.0 – 3.9

    When and where applicable, Honeywell will provide the CVSS v3.1 Base Score.

    We recommend consulting a security or IT professional to evaluate the risk of your specific configuration and we encourage users to compute the environmental score based on their network parameters. We also recommend leveraging a security or IT professional’s assessment of the issue to prioritize responses in your own environment.

    Different base scores

    There may be instances where NVD’s score and Honeywell's score may differ. If so, this is because as owners of the product we are able to account for configurations, build, and other nuisances of the product. In the event the score differs, please use the Honeywell base score.

    Disposition and Communication Phase

    Remediation timelines will depend on many factors, including: the severity, the product affected, the current development cycle, QA cycles, and whether the issue can only be updated in a major release. 

    Remediation may take one or more of the following forms: 

    1. A new release 
    2. A Honeywell-provided patch 
    3. Instructions to download and install an update or patch from a third-party 
    4. A workaround to mitigate the vulnerability 

    Notwithstanding the foregoing, we do not guarantee a specific resolution for issues and not all issues identified may be fixed. 

    Communication and Notification  

    At this point in time a communication plan is determined. Below are various forms of communication. 

    Forms of Communication Description
    Security Notice  May be released to notify customers when a vulnerability is fixed. 
    Product Release Note/Update  Release notes may be used to communicate a launch of a new software/hardware product or a product update and may include latest changes, feature enhancements, or bug fixes/patches. 
    CVE Records  Records are released to inform stakeholders about specifics regarding the vulnerability discovered. The records may include information such as Common Vulnerability Enumeration (CVE) ID number, description of the security vulnerability, and references associated with the vulnerability such as vulnerability reports and advisories. 
    Media Statements  May be used to address any Honeywell related news or incidents.  
    End of Service Life Notice   An EOSL notice may be released to inform a Honeywell customer that the product will no longer be supported or sold.

    Disclosure Phase

    Notifying Customers of Vulnerability

    We take responsibility to ensure that our customers are notified, when necessary, in an efficient manner. Most communication will be posted after patches or workaround has been released on our Security Notice site.

    We will not provide additional information about the specifics of vulnerability or how to reproduce. We do not distribute exploit or proof of concept code for identified vulnerabilities. 

    In accordance with industry practices, we do not share our findings from internal security testing or other types of security activities with external entities. It is important to note that any unauthorized scan of our services and production systems will be considered an attack.  

    Coordinated Vulnerability Disclosure

    Coordinated Vulnerability Disclosure (CVD) is indeed a crucial process in managing and mitigating vulnerabilities in hardware, software, and services. Honeywell's approach to CVD involves engaging with various stakeholders such as partners, vendors, researchers, and community coordinators to ensure that newly discovered vulnerabilities are disclosed in a controlled and coordinated manner. Multi-party coordination is essential because it helps in understanding the different parties' vulnerability disclosure policies, handling policies, and contractual agreements, which in turn fosters trusted communication and collaboration. 

    By increasing transparency between parties, vendors can better understand and manage the risks posed by vulnerabilities. This transparency also facilitates engagements with other parties, ensuring that everyone involved is on the same page. The primary aim of CVD is to provide timely and consistent guidance to all parties and customers, helping them protect themselves effectively. 

    Honeywell follows a similar approach to CVD. They encourage independent reporters who discover vulnerabilities to contact them directly, allowing Honeywell to investigate and remediate the vulnerabilities before they are publicly disclosed. The Product Security Incident Response Team (PSIRT) coordinates with the reporter throughout the investigation and provides updates on progress. Once an update or mitigation information is publicly released, the reporter is welcome to discuss the vulnerability publicly.

    This process not only helps in protecting customers but also ensures that public disclosures are coordinated appropriately, and reporters are acknowledged for their findings. If a reported vulnerability involves a vendor product, the PSIRT will notify the vendor directly, coordinate with the reporter, or engage a third-party coordination center.

    For more information on CVD, please review the information provided in the following links: 

    Report a Vulnerability Issue

    We encourage coordinated disclosure of security vulnerabilities. Security researchers, industry groups, government organizations and vendors can report potential security vulnerabilities to Honeywell by choosing one of the two vulnerability types in the form below or by emailing us with below details mentioned.

    If the vulnerability affects a product, service or solution, email us at PSIRT@honeywell.com, with the following instructions/details:

    • Please encrypt using Honeywell’s public PGP key (see PGP Key page) and include the following:
      • Product and version
      • Description of the potential vulnerability
      • Any special configuration required to reproduce the issue
      • Step by step instructions to reproduce the issue
      • Proof of concept or exploit code, if available
      • Potential Impact

    For all other security issues, email us at Security@honeywell.com with the following instructions. 

    • Please encrypt using Honeywell’s public PGP key (see PGP Key page) and include the following:
      • Website URL or location
      • Type of vulnerability (XSS, Injection, etc.)
      • Instructions to reproduce the vulnerability
      • Proof of concept or exploit code, including how an attacker could exploit the vulnerability
      • Potential impact

    Download PGP Key here

    PGP Key

    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
    Comment: GPGTools - https://gpgtools.org

    mQENBE/Z+NYBCAC/++sRC1JFlk1oMMDgl5jxhhh3U+MzTDLiBjHcCeJ4OmBiGRck
    LljhZc0oW8SMd2JW0KjtEa0lKW8JIQHWBRjnGPudT8A/Y/3RW/Rx60dTvvUvt6ux
    IqWmYDoe3B2aTNJmiQZobKwG5uxq0hKhQmTGsmqBWd9jWJT3lopjR7YPzuI3rWjq
    m8DKaz+0JEs0hbPiO5mnID48NaTQvFb5tCySrnOaJIPHAwPtcfz8WWR3wDh3HX6N
    sQOohiYs0lcxxF/klycMfgSaOd4KCvMuvvyYzsAgqAc2cyI41SAWhM0t4/7sGVsM
    6QkOEQL7oM37fKpynKZoNqVQS43i5vEQXKhTABEBAAG0I0hvbmV5d2VsbCBDSVJU
    IDxjaXJ0QGhvbmV5d2VsbC5jb20+iQFyBBABAgBcBQJP2fjWMBSAAAAAACAAB3By
    ZWZlcnJlZC1lbWFpbC1lbmNvZGluZ0BwZ3AuY29tcGdwbWltZQgLCQgHAwIKAQIZ
    AQUbAwAAAAUWAAMCAQUeAQAAAAYVCAkKAgMACgkQNyARPx/t4AdyoQf+LlUiTv20
    VT5Hwbwm4CYxELzjlDaIsDS5DBFAY//gVcaC3J2CW/JeDSvDcBahePADVYI8N3Mk
    fo2IPW4G7riB1OvBm8INELEVnDpFgTMffcLtHyyJHdolO7MKNGp/1zZxHriEci6K
    22v6GT8TluEA9R6pKA7SI/lbVCxDe53CPzm7rQhxLFr2GJ3YKqvJ8C1OW06+fPDZ
    U+nx80X+MIXMJ0+i+i1RS4TVK1chx6MWtkWRPBh022a7q5Ub19ox2osNavwE/gIs
    sMcK2UCZKrphavAbh2YGvPl6UA16lIDwSwMZZ32Di/QcXPfZmBqmJxSs88lQmk5X
    4AKpkknAGb7IY7kBDQRP2fjWAQgA2t9nKv8aoyHQFdu2mFDzxCaBNNgZggoUJjkr
    80ahYphP4gMO/R1N6rUEDoRefzGKwG6l8Vn4yQs3wWl3VWLSBRswmUFa9GITiJnq
    rfJOmw/JZlvqCbh5otGS2/irRb0IOYDn8/OPtN6H47pIfhCuMUEYNoYZ4Y1Vo4oA
    JIbk7/R1IWnlUTGACvgIITDna0Xx2UF9Tlen7AQvMXilonaZhzFaou2abYYGbNWg
    IH8F2m6bd43CK6lM1Bda0wPZFyOmAlbpkDg3xcTJj/ikqC4w3QrLV1RzIL+wQJQ3
    QsJIrMMFRLVxSWjVR84OfXplCFNFG5zneNuyWBVH4+yo87ZrAwARAQABiQJBBBgB
    AgErBQJP2fjXBRsMAAAAwF0gBBkBCAAGBQJP2fjWAAoJEO+/PWqvM/9ITYEH/3rC
    m8tVUcM5rwKluGGRKm2OFlpL5UAN9GDB0yAYbgCPYX4HZPJFDb5eErOrPAsAX3JF
    gfYRP1c0C+wkH6FRnINRRl5GTA3rlaoupPb6fVplgNOSPoRYoP76LaCE0RABrs0X
    4j1r8cfCnWF50xS1sLIY2S8NCrXZKDnPGIpAAMvnO7FZY7DDzFHltSp+cM5EfheL
    wz6dACrbZmo3V6MWaFHxEJaMwzry/IHx8Y0adQ0IuPzESJhOb2KA42oxEekYgNcT
    jZaXVOg592rFmeVMiH+kZ6AqpOWPbSgLY9SA4UZ7wS3uzObk2WWHtE2tXodBKnV8
    x+XfhPwIPL/clezxl6QACgkQNyARPx/t4AfiHgf/cahQSIQ3Z8vV4oGPdgQZT7zH
    h1nQr5mP/9dMkeGYqUwzkRfKLtfSrNIIyq3sOX0TI0b13sHJ/bsys1bPurRMo9QZ
    E/XBRunn0kikKlqIwGroufJooV7rWTQs01npsgjEtBVsLs/xrGZ6OIB5UZDVG650
    aeLBIivRYBy9buIP/ouxKk5C5zTBIQ00Rk7eN/guoxanlrD4wNhzsw/U9SDI8gIH
    ghiIG8KhyeSefQVoT7+d1NF5qEcghHIutzpSv33GaPuegvOkqXrsPC2q1w949+Im
    jcqS6tU4SKYsAeZUro95QhATQGVuANyit9REk68syv8Ke0JcrvrhIj5Qu93LnQ==
    =dpgO
    -----END PGP PUBLIC KEY BLOCK-----

    Acknowledgments

    We would like to acknowledge all individuals who have reported a vulnerability in our environment. We are grateful for these security researchers who help keep us secure.

    2021:
    REPORTERS NAME ASSOCIATION LINK  
    Aniket Anil Deshmane* https://twitter.com/AniketDeshmane9?s=08  
    Armanul Miraz @mirazdevox  
    Ben Leonard-Lagarde    
    Carl Dworzack    
    Danish Tariq https://www.linkedin.com/in/danishtariqq/  
    Harinder Singh https://www.linkedin.com/in/lambardar  
    Husain Murabbi (cyber_humans) https://www.linkedin.com/in/husain-murabbi-cyberhumans/  
    Joel Sanchez https://www.linkedin.com/in/joel-sanchez-199b79123/  
    Joost Bakker BovenIJ ziekenhuis  
    Martino Tommasini     
    Mansoor Rangwala (cyber_humans) https://www.linkedin.com/in/mansoor-rangwala-cyberhumans/  
    Netan Mangal* https://www.linkedin.com/in/netanmangal  
    Pratik Sunil Tryambake    
    Rajnish Kumar Gupta https://www.linkedin.com/in/geekyrajnish  
    Rick de Jager https://github.com/RickdeJager  
    Swapnil Maurya @swapmaurya20  
    Thilo Mohri https://www.linkedin.com/in/tmohri/  
    Todd Heflin www.linkedin.com/in/taterbrown  
    Tracy Williams https://www.linkedin.com/in/battletroll/  
    Vinayak Chaturvedi https://www.linkedin.com/in/vinayak-chaturvedi-348b071a1  
    2019:
    REPORTERS NAME ASSOCIATION LINK  
    Alberto Perez Agudo    
    Athul Jayaram https://www.linkedin.com/in/athuljayaram  
    Dominique van Dorsselaer    
    GwanYeong Kim @sec_karas  
    Jan Kopriva https://www.linkedin.com/in/jan-kopriva/  
    Mohammed Adam https://www.linkedin.com/in/mohammedadam24/  
    Rahul Gamit https://www.linkedin.com/in/rahul-gamit-54a93a188/  
    Ramkumar Ganesan https://www.linkedin.com/in/ram-kumar94  
    Ronak Nahar https://www.linkedin.com/in/naharronak/  
    Sreekanth Reddy https://twitter.com/sree_appsec  
    Sumit Grover @sumgr0   
    2018:
    REPORTERS NAME ASSOCIATION LINK  
    Abhishek Misal http://www.linkedin.com/in/abhishek-misal  
    B. Dhiyaneshwaran    
    Bill Ben Haim
    https://www.linkedin.com/in/bill-ben-haim-b6775a48/  
    Kapil Kulkarni*
    https://www.linkedin.com/in/kapil-kulkarni-oscp-ceh-chfi-5a333763/  
    Mohamed Hamed https://www.linkedin.com/in/mohamed-hamed-239378163/  
    Nitish Shah https://twitter.com/iamNitishShah  
    Pethuraj M https://www.pethuraj.in/  
    Udhaya Prakash C*  @Udhaya_ISRO  
    Utkarsh Agrawal  https://twitter.com/agrawalsmart7  
    Vijiln @vijiln  
    2017 and earlier:
    REPORTERS NAME ASSOCIATION LINK  
    Abdul Haq Khokhar @abdulhaqkhokhar  
    Abdul Rehman Qureshi    
    Abhineeti Singh https://my.linkedin.com/in/abhineeti-singh-739628a4  
    Alexander Sidukov (Positive Technologies) @cyberopus  
    Alisha Sheikh https://in.linkedin.com/in/alisha-sheikh-96059615a  
    Amit Kumar https://www.linkedin.com/in/amit-kumar-9853731a4  
    Angkan Chanda    
    Ari Apridana https://www.linkedin.com/in/ariapridana/  
    Ashish Kunwar @D0rkerDevil  
    Ayush Pandey https://www.linkedin.com/in/ayush-pandey-148797175  
    Gayatri Rachakonda https://www.linkedin.com/in/gayatri-r-8368a3110  
    Gjoko Krstic https://www.linkedin.com/in/gjokokrstic  
    Harish P https://www.linkedin.com/in/harish-p-62b38a158  
    Harshal S. Sharma https://www.linkedin.com/in/harshalss-war10ck/  
    Jayesh Patel https://www.breachlock.com  
    Joachim Kerschbaumer  https://twitter.com/joachimk  
    Jose Carlos Exposito Bueno    
    Khaled Sakr https://www.linkedin.com/in/khaled-sakr-61821698  
    Lutfu Mert Ceylan https://linkedin.com/in/lutfumertceylan/  
    Mahad Ahmed https://octadev.com.pk  
    Maxim Rupp http://rupp.it/  
    Mikael Vingaard Vingaard.dk  
    Mindset Technologies https://mindsetechnologies.com/certificates  
    Mohammed Faiz Quadri https://my.linkedin.com/in/mfaquadri  
    Nadav Erez (Claroty) https://www.linkedin.com/in/nadav-erez/  
    Nick Jensen https://www.linkedin.com/in/nickmarcjensen/  
    Pratik Khalane https://www.linkedin.com/in/pratik-khalane/  
    Rei Henigman (Claroty)    
    Saurabh Shinde https://www.linkedin.com/in/saurabhshinde96/  
    Serge Lacroute https://www.linkedin.com/in/serge-lacroute-677a3b134/  
    Srikar V https://linkedin.com/in/exp1o1t9r  
    Steven Hampton @keritzy  
    Tansel ÇETİN @tansbey  
    Umesh Jore* https://www.linkedin.com/in/umesh-jore-55015194  
    Varun Thorat https://www.linkedin.com/in/3xtrinsic/  
    Vasim Shaikh https://www.linkedin.com/in/vasim-shaikh-094507110  
    Venkatesh Sivakumar @PranavVenkats   
    Victor Curalea https://twitter.com/VictorCuralea  
    Victor Hylejam https://twitter.com/ov3rflow1  
    Wai Yan Aung @waiyanaun9   
    Yunus Aydin https://www.linkedin.com/in/aydinnyunus/  

    * Indicates multiple submissions

    Security Notices

    Below is a list of published Honeywell Security Notices. Honeywell recommends following the guidance provided in these Notices regarding mitigations to described security issues.

    If you are a customer looking for Security Notifications regarding Honeywell Process Solutions (HPS) products, please click here.

    Title/ SN ID # Affected Product/Product Family CVE/ICSA Severity Published Last Updated
    Asure ID Software Removal
    2024-07-01 01
    Niagara EntSec from 4.10u8 and 4.13u3 NA NA 2024-07-01 2024-07-01
    Niagara libwebp Vulnerability
    2024-01-09 01
    Mulitple Niagara Framework, Niagara EntSec versions CVE-2023-4863 Medium 2024-01-09 2024-07-01
    Spring4Shell NO IMPACT
    2022-04-09 01
    Niagara Framework and Niagara EntSec CVE-2022-22963 NA 2022-04-09 2023-05-31
    Niagara MQTT Driver Vulnerability
    2022-03-14 01
    Mulitple Niagara Framework, Niagara EntSec versions NA Medium 2022-03-14 2023-05-31
    Niagara Hx Profile Vulnerability
    2022-02-11 01
    Mulitple Niagara Framework, Niagara EntSec versions NA Medium 2022-02-11 2023-05-31
    Niagara log4j NO IMPACT
    2021-12-13 01
    Niagara Framework and Niagara EntSec CVE-2021-44228 NA 2021-12-13 2021-12-13
    Niagara QNX BadAlloc, Privilege Escalation, and JxBrowser Vulnerabilities
    2021-09-09 01
    Mulitple Niagara Framework, Niagara EntSec versions, and QNX based products CVE-2021-22156 Medium 2021-09-09 2021-12-13
    Niagara JNLP/Web Start Vulnerability
    2021-03-31 01
    Mulitple Niagara Framework, Niagara EntSec versions NA Medium 2021-03-31 2021-12-13
    Niagara TLS Timeout Vulnerability
    2020-07-28 01
    Niagara 4.6, 4.7, 4.8; Niagara EntSec 2.4, 4.8 CVE-2020-14483 Medium 2020-07-28 2020-12-21
    Niagara Ripple20 NO IMPACT
    2020-06-30 01
    Niagara JACE-8000, Edge10 ICSA-20-168-01 NA 2020-06-30 2020-12-21
    Niagara JRE and Bouncycastle fixes
    2020-02-26 01
    Niagara AX 3.8, Niagara EntSec 2.3 NA NA 2020-02-26 2020-12-21
    Niagara QNX Vulnerabilities (Niagara Software)
    2019-08-27 01
    Niagara AX 3.8u4, Niagara 4.4u3, Niagara 4.7u1 NA High, Medium 2019-08-27 2020-07-06
    Niagara QNX Vulnerabilities (Niagara EntSec Software)
    2019-08-23 01
    Niagara EntSec Products NA NA 2019-08-23 2020-07-06
    Niagara Chromium Vulnerability
    2019-05-09 01
    Niagara 4.4u2, 4.6, 4.7 CVE-2019-5786 High 2019-05-09 2020-07-06
    Niagara Framework Guidelines Niagara Framework Products NA NA 2019-05-10 2020-07-06
    Niagara Cross-Site Scripting Vulnerability
    2018-11-12 01
    Niagara AX 3.8u4, Niagara 4.4u2, Niagara 4.6, Niagara EntSec 2.3u1 NA Medium 2018-11-12 2019-02-05
    Update Release for Niagara AX and Niagara 4
    2018-06-01 01
    Niagara AX 3.8, Niagara 4.4 NA NA 2018-06-01 2019-02-05
    Tridium Wi-Fi WPA/2 Protocol Vulnerabilities
    2017-10-16 01
    JACE 8000, Jace 700 10 CVEs Varies 2017-10-16 2018-08-06
    Goldeneye/Petya, WannaCrypt/WannaCry Resource All Niagara Products Multiple Varies 2017-05-01 2018-08-06
    Niagara Hardening Guide Against WannaCry Vulnerabilities Niagara Framework and Niagara EntSec Multiple Varies 2017-05-01 2018-08-06
    Niagara POODLE SSLv3 Vulnerability
    2014-10-21 01
    All Niagara Products CVE-2014-3566 Critical 2014-10-21 2018-08-06
    Tridium Shellshock Vulnerability NO IMPACT
    2014-09-30 01
    All Tridium Products NA NA 2014-09-30 2018-08-06
    Tridium Heartbleed Vulnerability NO IMPACT
    2014-04-10 01
    All Tridium Products NA NA 2014-04-10 2018-08-06
    MPA2 Web Application XSS
    2024-03-08 01
    MPA2 vR1.00.08.05 CVE-2023-1841 High 2024-03-08 2024-03-08
    HW OmniClass/iClass Encoder Secure Channel Downgrade
    2024-01-31 01
    HW OmniClass 2.0 Contactless Smart, Multi-Technology, and BLE Readers, HID iCLASS® SE™ CP1000 Encoder, HID® iCLASS® SE™ and OMNIKEY® Secure Elements, Third-party products that use HID’s OEM module for reading HID cards CVE-2024-23806
    CVE-2024-22338
    High 2024-01-31 2024-01-31
    Voice Console XSS
    2023-12-20 02
    Voice Console v5.6.2, v5.6.3 CVE-2023-6590 Medium 2023-12-20 2023-12-20
    HVoice Console Blind SQL Injection
    2023-12-20 01
    Voice Console v5.6.2, v5.6.3 NA High 2023-12-20 2023-12-20
    PM23/43 Command Injection
    2023-08-01 01
    PM23/43 Printers CVE-2023-3710 Critical 2023-09-12 2023-09-12
    PM23/43 Session ID Vulnerability
    2023-08-02 01
    PM23/43 Printers CVE-2023-3711 High 2023-09-12 2023-09-12
    PM23/43 Privilege Escalation Vulnerability
    2023-08-03 01
    PM23/43 Printers CVE-2023-3712 High 2023-09-12 2023-09-12
    Command Injection HDZP252DI
    2022-01-26 01
    Camera Model HDZP252DI CVE-2021-39363 Medium 2022-01-26 2022-01-26
    Video Replay Vulnerability HBW2PER1
    2022-01-26 02
    Camera Model HBW2PER1 CVE-2021-39364 Medium 2022-01-26 2022-01-26
    HBT Apache Log4j Vulnerability
    2021-HBT-12-14 01 V2
    Apache Log4j Libraries CVE-2021-44228
    CVE-2021-45046
    Critical 2021-12-16 2021-12-16
    SPS Apache Log4j Vulnerability
    2021-SPS-12-14 01 V2
    Apache Log4j Libraries CVE-2021-44228
    CVE-2021-45046
    CVE-2021-45105
    Critical 2021-12-16 2021-12-22
    Honeywell Security UK LTD Battery Compliance
    2021-09-20 01
    Honeywell Security UK Ltd Battery Products NA NA 2021-09-20 2021-09-20
    Wi-Fi Vulnerabilities (Frag Attacks) Wi-Fi Devices NA Varies 2020-08-15 2020-08-15
    Mobility Products RCE and DOS Vulnerabilities
    2020-08-14 01
    Thor VM1A, Thor VM3A, CK65, CN80, CN80G, CN85, CT40, CT60, EDA60K, EDA51, EDA71, EDA61K CVE-2020-11201
    CVE-2020-11202
    CVE-2020-11206
    CVE-2020-11207
    CVE-2020-11208
    CVE-2020-11209
    High 2020-08-14 2020-08-14
    Ripple20 Vulnerability
    2020-07-17 01
    RL 3/4, RL 3e/4e, RP 2/4, E-Class, I-Class, MP Compact MkIII, A-Class, H-Class, M-Class, PB 21/22/31/32, PB 50/51, PR2/3, PD42, PM4i, PX4i, PX6i ICSA-20-168-01 High 2020-07-17 2020-07-17
    Ripple20 NO IMPACT Notification
    2020-07-02 01
    Honeywell Commercial Security Video Products NA NA 2020-07-02 2020-07-02
    Kr00k NO IMPACT Notification
    2020-03-03 01
    Honeywell Productivity Products CVE-2019-15126 NA 2020-03-03 2020-03-03
    Unauthenticated RCE via unsafe binary deserialization and Unauthenticated Remote arbitrary SQL command injection
    2019-10-25 01
    MAXPRO VMS HNMSWVMS, MAXPRO VMS HNMSWVMSLT, MAXPRO NVR XE, MAXPRO NVR SE, MAXPRO NVR PE, MAXPRO NVR MPNVRSWXX CVE-2020-6959
    CVE-2020-6960
    ICSA-20-021-01
    High 2019-10-25 2019-10-25
    IP Camera DoS Vulnerability
    2019-09-13 01
    equIP® Series Cameras: H4L2GR1, HBL2GR1, HCL2G, H4W2GR1, H4W2GR2, H4W4GR1, H3W2GR1, H3W2GR2, H3W4GR1, HBW2GR1, HBW4GR1, HBW2GR3, HCW2G, HCW4G CVE-2019-18228
    ICSA-19-304-02
    High 2019-09-13 2019-09-13
    IP Camera and Recorder Replay Attack Vulnerability
    2019-09-13 02
    equIP® Series Cameras, Performance Series Cameras, Recorders CVE-2019-18226
    ICSA-19-304-04
    High 2019-09-13 2019-09-13
    IP Camera Unauthenticated Access to Audio Vulnerability
    2019-09-04 01
    equIP® Series Cameras, Performance Series Cameras CVE-2019-18230
    ICSA-19-304-03
    High 2019-09-04 2019-09-04
    IP Camera/NVR Configuration Data Information Disclosure Potential Vulnerability
    2019-04-30 01
    Performance IP Series Cameras, Performance Series NVRs CVE-2019-13523
    ICSA-19-260-03
    Medium 2019-04-30 2019-04-30
    Android OS Privilege Elevation Vulnerability
    2018-09-18 01
    CT60, CN80, CT40, CK75, CN75, CN75e, CT50, D75e, CN51, EDA50k, EDA50, EDA70, EDA60k, EDA51 CVE-2018-14825
    ICSA-18-256-01
    High 2018-09-13 2018-09-13
    Processor Vulnerabilities (Spectre and Meltdown)
    2018-04-19 01
    CN75, CN75e, CK75, CV41, CV31, CV61, D99 SERIES, CK3R, CK3X, CN70, CN70e, CK70, CK71, Tecton, AND Various Dolphin, Thor, and Talkman Products CVE-2017-5754
    CVE-2017-5753
    CVE-2017-5715
    Critical 2018-04-19 2018-04-19
    Wi-Fi Vulnerability KRACK
    2017-12-04 01
    70+ Honeywell Productivity Products (WPA2 vulnerability) 10 CVEs Varies 2017-12-04 2017-12-04
    BlueBorne Vulnerability
    2017-11-13 01
    Honeywell Productivity Products with Bluetooth Capability 8 CVEs Varies 2017-11-13 2017-11-13
    Experion Controller and SMSC S300 Modification Vulnerabilities ICSA-24-116-04 Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, Safety Manager SC 16 CVEs Varies 2024-04-05 2024-04-05
    Honeywell Softmaster Uncontrolled Search Path Vulnerability ICSA-22-256-02 Softmaster Products CVE-2022-2333
    CVE-2022-2332
    High 2022-09-13 2022-09-13
    ControlEdge Hard-coded Credentials ICSA-22-242-06 ControlEdge Products CVE-2022-30318 Critical 2022-08-30 2022-08-30
    Experion LX Missing Auth for Critical Function ICSA-22-242-07 Experion LX Products CVE-2022-30317 Critical 2022-08-30 2022-08-30
    IQ Series Cleartext Transmission Vulnerability ICSA-22-242-08 IQ Series Controllers CVE-2022-30312 High 2022-08-30 2022-08-30
    Saia Burgess PG5 Auth Bypass and Use of Broken Cryptographic Algorithm ICSA-22-207-03 Saia Burgess PG5 PCD Products CVE-2022-30319
    CVE-2022-30320
    High 2022-07-28 2022-07-28
    Safety Manager Missing Auth, Use of Hard-coded credentials, and Insufficient Verification of Data Authenticity ICSA-22-207-02 Honeywell Safety Manager Products CVE-2022-30315
    CVE-2022-30313
    CVE-2022-30316
    CVE-2022-30314
    High 2022-07-26 2022-07-26
    Experion PKS Path Traversal, Unrestricted Upload, and Improper Neutralization of Special Elements in Output Vulnerabilities ICSA-21-278-04 Experion PKS C200, C200E, C300, ACE Controllers CVE-2021-38397
    CVE-2021-38395
    CVE-2021-38399
    Critical 2021-10-05 2021-10-05
    OPC UA Heap-Based Buffer Overflow, Out-of-Bounds Read, Improper check, and Uncontrolled Resource Consumption Vulnerabilities ICSA-21-021-03 OPC UA Tunneller versions prior to 6.3.0.8233 CVE-2020-27297
    CVE-2020-27299
    CVE-2020-27274
    CVE-2020-27295
    Critical 2021-01-21 2021-01-21
    ControlEdge Cleartext Transmission Vulnerabilites ICSA-20-175-02 ControlEdge PLC R130.2, R140, R150, R151. ControlEdge RTU R101, R110, R140, R150, R151 CVE-2020-10628
    CVE-2020-10624
    Medium 2020-06-23 2020-06-23
    WIN-PAK CSRF, Improper Neutralization of HTTP Headers, and Use of Obsolete Function Vulnerabilities ICSA-20-056-05 WIN-PAK 4.7.2 Web and Prior Versions CVE-2020-7005
    CVE-2020-6982
    CVE-2020-6978
    High 2020-02-25 2020-02-25
    NWS Authentication Bypass and Path Traversal Vulnerabilities ICSA-20-051-03 Notifier Web Server (NWS) Version 5.50 and prior CVE-2020-6972
    CVE-2020-6974
    Critical 2020-02-20 2020-02-20
    INNControl 3 Improper Privilege Management Vulnerability ICSA-20-049-01 INNCOM INNControl 3 Version 3.21 and prior CVE-2020-6968 Medium 2020-02-19 2020-02-19
    Experion PKS Heap-Based Buffer Overflow, Stack-Based Buffer Overflow, Arbitrary Memory Write, Directory Traversal, and File Inclusion Vulnerabilities ICSA-14-352-01 Experion PKS R40x prior to R400.6, Experion PKS R41x prior to R410.6, Experion PKS R43x prior to R430.2 CVE-2014-9187
    CVE-2014-9189
    CVE-2014-5435
    CVE-2014-5436
    CVE-2014-9186
    Varies 2019-04-10 2019-04-10
    FALCON XSS and File Access to External Parties Vulnerabilities ICSA-14-175-01 FALCON Linux 2.04.01 and prior, FALCON XLWebExe 2.02.11 and prior CVE-2014-2717
    CVE-2014-3110
    Medium 2014-06-24 2018-09-06
    EBI, SymmetrE, and ComfortPoint Improper Input Validation Vulnerability ICSA-13-053-02A EBI R310, R400.2, R410.1, R410.2. SymmetrE R310, R410.1, R410.2, CPO-M R100 CVE-2013-0108 Medium 2013-02-22 2018-09-06
    HMIWeb Browser Buffer Overflow Vulnerability ICSA-12-150-01 Multiple Experion, Enterprise Building Manager, Honeywell Environmental Combustion and Controls Products, and Symmetre R400, R410.1 CVE-2012-0254 Medium 2012-03-09 2018-09-06
    HART DMT Improper Input Validation Vulnerability ICSA-15-029-01 Multiple HART DMT Libraries CVE-2014-9191 Low 2018-08-29 2018-08-29
    Midas Path Traversal and Cleartext Transmission Vulnerabilities ICSA-15-309-02 Midas Version 1.13b1 and prior, Midas Black 2.13ba and prior CVE-2015-7907
    CVE-2015-7908
    Critical 2018-08-27 2018-08-27
    Experion PKS Directory Traversal Vulnerability ICSA-15-272-01 Experion PKS 310.x and prior CVE-2007-6483 Critical 2018-08-27 2018-08-27
    XL Web Controller Path Traversal Vulnerability ICSA-15-076-02 Multiple XLWeb Controller Versions CVE-2015-0984 Critical 2018-08-27 2018-08-27
    Uniformance Stack-based Buffer Overflow Vulnerability ICSA-16-070-02A Uniformance PHD versions prior to R310.1.1.2, R320.1.0.2, and R321.1.1 CVE-2016-2280 High 2016-04-12 2018-08-23
    XL Web II Controller Password Exposure Vulnerabilities ICSA-17-033-01 XL1000C500 XLWebExe-2-01-00 and prior, XLWeb 500 XLWebExe-1-02-08 and prior CVE-2017-5139
    CVE-2017-5140
    CVE-2017-5141
    CVE-2017-5142
    CVE-2017-5143
    Critical 2017-02-02 2017-02-02
    Experion PKS Improper Inout Validation Vulnerability ICSA-16-301-01 Multiple Experion PKS Products CVE-2016-8344 Low 2016-10-27 2016-10-27
    ScanServer ActiveX Control Vulnerability ICSA-11-103-01A ScanServer ActiveX Control Version 780.0.20.5 that is packaged with all SymmetrE Versions NA NA 2011-04-13 2014-03-13
    TEMA Remote Installer ActiveX Vulnerability ICSA-11-285-01 EBI R310.1 - TEMA 4.8, 4.9, 4.10. EBI R400.2 SP1 - TEMA 5.2. EBI R410.1 - TEMA 5.3.0. EBI R410.2 - TEMA 5.3.1 NA NA 2013-04-30 2013-04-30
    MAXPRO NVR Computer: Intel® Chipset Uncontrolled Search Path Element Vulnerability
    2024-06-25 01
    MAXPRO SE NVR Rev D, XE NVR Rev D with Intel® Chipset Device Software before version 10.1.19444.8378 CVE-2023-28388 Medium 2024-06-25 2024-06-25
    HID Mercury Intelligent Controller Command Injection, Unauthenticated Firmware, Buffer Overflow, Path Traversal Vulnerabilities
    2022-06-02 01
    LenelS2 Products integrated with HID Mercury Intelligent Controllers: LNL-X2210, LNL-2220, LNL-X3300, LNL-X4420, LNL-4420, S2-LP-1501, S2-LP-1502, S2-LP-2500, S2-LP-4502 CVE-2022-31479
    CVE-2022-31480
    CVE-2022-31481
    CVE-2022-31482
    CVE-2022-31483
    CVE-2022-31484
    CVE-2022-31485
    CVE-2022-31486
    Critical 2022-06-02 2022-06-02
    LenelS2 OnGuard Client Authentication Bypass Vulnerability
    2022-11-30 01
    OnGuard Versions 7.5, 7.6, 8.0, 8.1 CVE-2022-37026 Critical 2022-11-30 2022-11-30
    LenelS2 NetBox MOD_PROXY SSRF Vulnerability
    2023-03-16 01
    NetBox, NetBox Global, VRx, NetVR, Converged NetBox/VR, NetBox VRx, Quatro Products CVE-2021-40438 Critical 2023-03-16 2023-03-16
    MASmobile Classic Authorization Bypass Vulnerability
    2023-06-15 01
    MASmobile Classic CVE-2023-36483 Medium 2023-06-15 2023-06-15
    LenelS2 NetBox Hardcoded Credentials and Unauthenticated/authenticated RCE Vulnerabilities
    2024-05-24 01
    NetBox Products CVE-2024-2420
    CVE-2024-2421
    CVE-2024-2422
    Critical 2024-05-24 2024-05-24
    LenelS2 NetBox Supply Chain Attack
    2024-08-05 01
    NetBox, VRx, NetVR Products NA NA 2024-08-05 2024-08-05
    Honeywell Experion PKS, LX, and PlantCruise Heap and Stack-based Overflow, Unexpected Code Status, Uncontrolled Resource, Improper Encoding, Incorrect Comparison, and other data vulnerabilities
    ICSA-23-194-06
    Experion PKS, LX, and PlantCruise versions prior to R520.2 9 CVEs Critical 2023-07-13 2023-07-13
    Honeywell OneWireless Command Injection, Insufficient Random Values, and Missing Auth Vulnerabilities
    ICSA-23-075-06
    OneWireless Versions up to R322.1 CVE-2022-43485
    CVE-2022-46361
    CVE-2022-4240
    Critical 2023-03-16 2023-03-16
    Honeywell IP-AK2 Missing Auth. Vulnerability
    ICSA-19-297-02
    IP-AK2 Access Control Panel Version 1.04.07 and prior CVE-2019-13525 Medium 2019-10-24 2019-10-24