Honeywell XL Web Controller Directory Traversal Vulnerability
Low RiskICS-CERT ICSA-15-076-02Dec 18, 2015
Summary
Honeywell EXCEL WEB 52 I/O series controllers contain a directory traversal vulnerability (CWE-22) in their web interface that could allow an attacker to access files outside the intended directory structure.
What this means
What could happen
An attacker with access to the web interface could read arbitrary files from the controller, potentially exposing configuration, setpoint, or credential data that could be used to manipulate or disable the building automation system.
Who's at risk
Building automation and facilities management teams operating Honeywell EXCEL WEB 52 I/O controllers (XL1000C50, XL1001C52, XL1002C54, XL1003C56, XL1004C58). This impacts HVAC control systems, chiller units, and other climate control infrastructure in commercial buildings.
How it could be exploited
An attacker would craft HTTP requests with directory traversal sequences (e.g., "../../../") through the web interface to escape the intended file directory and access sensitive files on the controller's filesystem.
Prerequisites
- Network access to the web interface port on the controller (typically port 80 or 443)
- No authentication required for file access
remotely exploitableno authentication requiredno patch availableaffects building automation/HVAC systems
Exploitability
Low exploit probability (EPSS 0.8%)
Affected products (5)
5 EOL
ProductAffected VersionsFix Status
EXCEL WEB 52 I/O: XL1000C50XL1000C50No fix (EOL)
EXCEL WEB 52 I/O: XL1001C52XL1001C52No fix (EOL)
EXCEL WEB 52 I/O: XL1002C54XL1002C54No fix (EOL)
EXCEL WEB 52 I/O: XL1003C56XL1003C56No fix (EOL)
EXCEL WEB 52 I/O: XL1004C58XL1004C58No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGRestrict network access to the web interface using firewall rules; allow only from engineering workstations and authorized management networks
HARDENINGDisable web interface access if not required for operations; use direct serial or Ethernet connections for authorized engineering access only
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor access logs and network traffic for suspicious directory traversal attempts (paths containing ../ or similar patterns)
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: EXCEL WEB 52 I/O: XL1000C50, EXCEL WEB 52 I/O: XL1001C52, EXCEL WEB 52 I/O: XL1002C54, EXCEL WEB 52 I/O: XL1003C56, EXCEL WEB 52 I/O: XL1004C58. Apply the following compensating controls:
HARDENINGEvaluate replacement with newer Honeywell controllers that include web security patches
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b4cfa90c-d980-4b00-930c-a07b7e18ff1d