PatchSiren cyber security CVE debrief
CVE-2023-5397 Honeywell CVE debrief
A critical vulnerability in Honeywell's Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, and Safety Manager SC industrial control systems allows remote attackers to execute arbitrary code or cause denial-of-service conditions via specially crafted network messages. The vulnerability affects Experion Servers and Stations with a CVSS 3.1 score of 8.1 (High severity). Successful exploitation requires network access but no authentication, enabling remote code execution or system disruption in operational technology environments. Honeywell has released security updates addressing this issue, and CISA recommends immediate patching following established ICS security practices.
- Vendor
- Honeywell
- Product
- Experion PKS
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-25
- Original CVE updated
- 2024-04-25
- Advisory published
- 2024-04-25
- Advisory updated
- 2024-04-25
Who should care
Organizations operating Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, or Safety Manager SC systems in industrial environments including oil and gas, chemical processing, power generation, and manufacturing facilities. Critical infrastructure operators, ICS security teams, plant engineers, and safety system administrators should prioritize assessment and remediation.
Technical summary
CVE-2023-5397 is a high-severity vulnerability (CVSS 3.1: 8.1) in Honeywell's Experion industrial control system suite. The vulnerability resides in network message handling within Experion Servers and Stations, allowing unauthenticated remote attackers to achieve code execution or cause denial-of-service through crafted network traffic. Affected systems span multiple product lines including Experion PKS (versions prior to R510.2 HF14, R511.5 TCU4 HF4, R520.1 TCU5, and R520.2 TCU4 HF2), Experion LX (versions prior to R511.5 TCU4 HF4, R520.1 TCU5, and R520.2 TCU4 HF2), PlantCruise by Experion (versions prior to R511.5 TCU4 HF4, R520.1 TCU5, and R520.2 TCU4 HF2), Safety Manager (R15x and R16x through R162.10), and Safety Manager SC (R210.X, R211.1, R211.2, and R212.1). The attack vector is network-based with high attack complexity, requiring no privileges or user interaction. Given the safety-critical nature of affected systems, exploitation poses significant risk to operational technology environments including potential process disruption and safety system compromise.
Defensive priority
critical
Recommended defensive actions
- Apply Honeywell security updates to affected Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, and Safety Manager SC systems as specified in Honeywell Security Notice SN2024
- Isolate affected industrial control systems from business networks and the internet per CISA ICS recommended practices
- Implement network segmentation to restrict unauthorized network access to Experion Servers and Stations
- Monitor network traffic for anomalous connections to affected systems
- Review and enforce principle of least privilege for all accounts with access to industrial control systems
- Establish and test incident response procedures for potential compromise of safety instrumented systems
Evidence notes
CISA published advisory ICSA-24-116-04 on April 25, 2024, documenting this vulnerability affecting 16 distinct product configurations across Honeywell's industrial control system portfolio. The advisory confirms remote code execution and denial-of-service impacts against Experion Servers and Stations.
Official resources
-
CVE-2023-5397 CVE record
CVE.org
-
CVE-2023-5397 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-25