PatchSiren cyber security CVE debrief

CVE-2023-5394 Honeywell CVE debrief

A critical vulnerability in Honeywell's Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, and Safety Manager SC industrial control systems allows remote attackers to execute arbitrary code or cause denial-of-service conditions. The vulnerability, published April 25, 2024, affects 16 distinct product versions across Honeywell's distributed control and safety systems portfolio. Attackers can exploit this flaw by sending specially crafted network messages to Experion Servers or Stations without requiring authentication. The CVSS 3.1 score of 7.4 (HIGH) reflects network attack vector, high attack complexity, and significant impact to integrity and availability. Honeywell has released security updates and advises immediate patching to remediated versions.

Vendor: Honeywell
Product: Experion PKS
CVSS: HIGH 7.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-04-25
Original CVE updated: 2024-04-25
Advisory published: 2024-04-25
Advisory updated: 2024-04-25

Who should care

Organizations operating Honeywell Experion distributed control systems or Safety Manager safety instrumented systems in critical infrastructure sectors including energy, chemical manufacturing, oil and gas, and process industries. Asset owners with Experion Servers or Stations accessible from operational technology networks should prioritize assessment and patching. Safety instrumented system operators must evaluate patch applicability during maintenance windows given potential availability requirements.

Technical summary

CVE-2023-5394 is a high-severity vulnerability in Honeywell's Experion distributed control systems and Safety Manager safety instrumented systems. The flaw exists in network message handling within Experion Servers and Stations, where insufficient validation of specially crafted messages enables unauthenticated attackers to achieve remote code execution or trigger denial-of-service conditions. The vulnerability spans 16 affected product versions across five product lines: Experion PKS (releases prior to R510.2 HF14, R511.5 TCU4 HF4, R520.1 TCU5, and R520.2 TCU4 HF2), Experion LX (releases prior to R511.5 TCU4 HF4, R520.1 TCU5, and R520.2 TCU4 HF2), PlantCruise by Experion (releases prior to R511.5 TCU4 HF4, R520.1 TCU5, and R520.2 TCU4 HF2), Safety Manager (R15x and R16x through R162.10), and Safety Manager SC (R210.X, R211.1, R211.2, and R212.1). The CVSS 3.1 score of 7.4 reflects network accessibility, high attack complexity, and high impacts to integrity and availability with no confidentiality impact. Honeywell has addressed the vulnerability through security updates available via Security Notice SN2024.

Defensive priority

critical

Recommended defensive actions

Apply Honeywell security updates referenced in Security Notice SN2024 to all affected Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, and Safety Manager SC systems
Prioritize patching of internet-facing or externally accessible Experion Servers and Stations
Implement network segmentation to isolate affected industrial control systems from untrusted networks
Monitor for anomalous network traffic targeting Experion Server and Station services
Review and apply CISA ICS recommended practices for defense-in-depth strategies
Validate backup and recovery procedures for safety instrumented systems before applying updates

Evidence notes

CISA ICS Advisory ICSA-24-116-04 documents this vulnerability with 16 affected product configurations across five Honeywell product families. The advisory confirms remote code execution and denial-of-service impacts via specially crafted messages. CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H sourced from CISA CSAF data. Remediation guidance directs users to Honeywell Security Notice SN2024 for patch availability.

Official resources

2024-04-25