PatchSiren cyber security CVE debrief
CVE-2017-5140 Honeywell CVE debrief
CVE-2017-5140 is a critical credential-protection weakness in Honeywell XL Web II controller software. NVD describes the issue as a password being stored in clear text in XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. Because the secret can be exposed rather than protected, an attacker who can access the stored value may be able to reuse credentials and gain broader control of the affected system. NVD rates the issue 9.8/CRITICAL and maps it to CWE-522, Insufficiently Protected Credentials.
- Vendor
- Honeywell
- Product
- CVE-2017-5140
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-13
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-13
- Advisory updated
- 2026-05-13
Who should care
OT and ICS defenders using Honeywell XL Web II controller products, especially operators responsible for credential storage, local system hardening, backups, images, and maintenance access. Security teams should also care if these controllers are reachable from shared networks or remote support paths.
Technical summary
Per the NVD record, the affected products are Honeywell XL Web II controller XL1000C500 running XLWebExe-2-01-00 and prior, and XLWeb 500 running XLWebExe-1-02-08 and prior. The weakness is credential exposure through cleartext storage, which aligns with CWE-522. The CVSS 3.0 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a remotely reachable issue with severe potential impact if the stored password is obtained or abused.
Defensive priority
High. The record is rated CVSS 9.8/CRITICAL, and the weakness involves a password stored without adequate protection. Even without an exploit chain in the corpus, credential disclosure in controller software can have immediate operational and security consequences.
Recommended defensive actions
- Identify whether any Honeywell XL Web II controller installations match the affected versions listed in NVD.
- Treat any recovered or exposed credentials associated with these devices as compromised and rotate them using vendor-supported procedures.
- Review where controller credentials may be stored, copied, backed up, or exported, including maintenance workstations and configuration archives.
- Restrict access to controller management interfaces and credential storage locations to trusted administrative networks and personnel.
- Monitor for unauthorized use of controller accounts and investigate any unexpected administrative activity.
- Follow the vendor or ICS advisory guidance referenced by NVD for available remediation steps and version-specific updates.
Evidence notes
This debrief is based on the supplied NVD-derived record and its official reference links. The record explicitly states that a password is stored in clear text and identifies affected versions as XLWebExe-2-01-00 and prior for XL1000C500, and XLWebExe-1-02-08 and prior for XLWeb 500. NVD lists CWE-522 and CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The corpus includes reference links to CVE.org, NVD, and ICS-CERT advisory metadata, but not the full advisory text, so remediation details are kept general and strictly evidence-based.
Official resources
-
CVE-2017-5140 CVE record
CVE.org
-
CVE-2017-5140 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, US Government Resource
Published by CVE on 2017-02-13. The supplied source record was last modified on 2026-05-13, which reflects record maintenance rather than the vulnerability's original disclosure date.