PatchSiren

PatchSiren cyber security CVE debrief

CVE-2023-5389 Honeywell CVE debrief

A critical vulnerability in Honeywell's Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, and Safety Manager SC product lines allows remote attackers to modify files on affected controllers without authentication. Published on April 25, 2024, this flaw enables unauthorized file writes to Experion controllers or SMSC S300 systems, which could lead to unexpected behavior through configuration changes or execution of malicious applications if triggered. The vulnerability carries a CVSS 3.1 score of 9.1 (Critical), reflecting its network-accessible attack vector, low complexity, and high impact on integrity and availability. Sixteen distinct product configurations are affected across multiple versions, including Experion PKS releases prior to R510.2_HF14, R511.5_TCU4_HF4, R520.1_TCU5, and R520.2_TCU4_HF2; Experion LX versions before R511.5_TCU4_HF4, R520.1_TCU5, and R520.2_TCU4_HF2; PlantCruise by Experion versions before R511.5_TCU4_HF4, R520.1_TCU5, and R520.2_TCU4_HF2; Safety Manager R15x and R16x through R162.10; and Safety Manager SC versions R210.X, R211.1, R211.2, and R212.1. Honeywell has released patches for all affected products. Organizations should prioritize upgrading to the fixed versions referenced in Honeywell's Security Notice, apply network segmentation for industrial control systems, restrict remote access to controller management interfaces, and monitor for unauthorized configuration changes.

Vendor
Honeywell
Product
Experion PKS
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2024-04-25
Original CVE updated
2024-04-25
Advisory published
2024-04-25
Advisory updated
2024-04-25

Who should care

Organizations operating Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, or Safety Manager SC in manufacturing, energy, chemical processing, and critical infrastructure sectors. OT security teams, plant engineers, control system administrators, and CISOs responsible for industrial cybersecurity programs should prioritize assessment and patching.

Technical summary

CVE-2023-5389 is a critical vulnerability in Honeywell's industrial control system product suite that enables unauthenticated remote attackers to modify files on Experion controllers and SMSC S300 safety systems. The vulnerability allows arbitrary file writes that can alter system configurations or introduce malicious executables for subsequent triggering. With a CVSS 3.1 score of 9.1, the flaw is network-accessible, requires no authentication, and has high impact on system integrity and availability. The attack complexity is low, making exploitation straightforward. Sixteen product configurations are affected across five product families. Honeywell has issued patches; remediation requires version upgrades to specified hotfix and cumulative update releases.

Defensive priority

critical

Recommended defensive actions

  • Upgrade all affected Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, and Safety Manager SC systems to the patched versions specified in Honeywell Security Notice SN2024
  • Implement network segmentation to isolate industrial control system networks from enterprise and external networks
  • Restrict remote access to controller management interfaces using jump servers or dedicated secure access solutions
  • Monitor controller file systems and configuration baselines for unauthorized changes
  • Review and validate controller backup integrity before applying patches
  • Apply principle of least privilege to all accounts with controller access
  • Enable logging and alerting for file write operations on affected controllers

Evidence notes

CVE published and advisory released 2024-04-25 per CISA CSAF source. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H confirms network-accessible unauthenticated attack with high integrity and availability impact. Affected product list derived from CSAF product tree with 16 confirmed product IDs. Remediation guidance sourced from vendor-provided fix information in CSAF remediations section.

Official resources

2024-04-25