Honeywell Experion PKS Directory Traversal Vulnerability

Act Now9.4ICS-CERT ICSA-15-272-01Jul 2, 2015

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Honeywell Experion PKS Release 310.x and earlier contains a directory traversal vulnerability (CWE-22) in its web interface. An unauthenticated attacker with network access can read arbitrary files from the server by using path traversal sequences in HTTP requests. Affected files may include system configuration, credentials, process setpoints, and alarm settings. No vendor patch is available for this product.

What this means

What could happen

An unauthenticated attacker on your network could read sensitive files from the Experion PKS server, including configuration data, credentials, and process parameters, potentially exposing information needed to manipulate process control or trigger alarms.

Who's at risk

Honeywell Experion PKS (Process Knowledge System) operators in refining, petrochemical, power generation, and water utilities who use this distributed control system are affected. Any facility running Experion PKS Release 310.x or earlier is vulnerable, particularly those with the PKS server exposed to the corporate network or internet.

How it could be exploited

An attacker with network access to the Experion PKS server would send specially crafted HTTP requests using directory traversal sequences (e.g., ../) to access files outside the intended directory. No authentication is required, and the server would return sensitive files like configuration or credential stores.

Prerequisites

Network access to the Experion PKS web interface (typically port 80/443)
The PKS server must be reachable from the attacker's network position

remotely exploitableno authentication requiredlow complexityhigh EPSS score (33.4%)no patch availableaffects process control systems

Exploitability

High exploit probability (EPSS 33.4%)

Affected products (1)

ProductAffected VersionsFix Status

Experion PKS Release: <=310.x≤ 310.xNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGImplement network segmentation and firewall rules to restrict access to the Experion PKS server to only authorized engineering and control network segments; block direct internet access

WORKAROUNDApply network-level access controls such as a Web Application Firewall (WAF) to filter HTTP requests containing directory traversal patterns (../, ..\, etc.)

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic to the PKS server for suspicious access patterns and unauthorized directory traversal attempts

Long-term hardening

0/1

HOTFIXEvaluate migration to a patched Experion PKS version (Release >310.x) or alternative control systems that address this vulnerability

CVEs (1)

CVE-2007-6483

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e5f1ab2d-0322-4698-adc0-e04679137cf2