OTPulse
FeedAboutContact

Honeywell IP-AK2

Monitor5.3ICS-CERT ICSA-19-297-02Oct 24, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The Honeywell IP-AK2 Access Control Panel (firmware version 1.04.07 and earlier) allows unauthenticated download of configuration files through direct URL access. This exposure includes authorized visitor information and system settings. Honeywell has released firmware version 1.04.15 with a fix for this issue.

What this means
What could happen
An attacker can download the IP-AK2 access control panel's configuration files over the network without logging in, exposing visitor lists and system settings that could be used to understand facility security and gain physical access.
Who's at risk
Facility managers and security teams running Honeywell IP-AK2 access control panels at water utilities, power plants, municipal buildings, or any site using this device for visitor and access management. The exposure affects any organization relying on this panel to manage who enters secured areas.
How it could be exploited
An attacker with network access to the device can request configuration files via direct URL without providing credentials. The device responds with the files, revealing authorized visitor information and system configuration. This requires only network reachability to the web interface of the device.
Prerequisites
  • Network access to the IP-AK2 web interface (typically port 80 or 443)
  • No credentials required
Remotely exploitableNo authentication requiredLow complexityAffects facility security and physical access controlInformation disclosure (visitor lists and system configuration)
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
IP-AK2 Access Control Panel:≤ 1.04.071.04.15
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGRestrict physical access to the device and any systems with Ethernet connections to it
WORKAROUNDIsolate the IP-AK2 from the Internet or place it behind a firewall/DMZ to prevent external access
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade IP-AK2 firmware to version 1.04.15 or later with assistance from Honeywell support
Long-term hardening
0/1
HARDENINGIf remote access to the network is needed, use a VPN or other secure remote connection method
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/8314d6d6-b9d4-43ad-af62-720b9ea43261
Honeywell IP-AK2 | CVSS 5.3 - OTPulse