Honeywell INNCOM INNControl 3

Monitor6.6ICS-CERT ICSA-20-049-01Feb 18, 2020

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

This vulnerability in INNControl 3 allows privilege escalation within the application due to improper access controls (CWE-269). An attacker with a low-privilege user account on a local or connected INNControl 3 system could escalate to higher privileges, potentially gaining unauthorized control over building automation settings. The vulnerability affects INNControl 3 version 3.21 and earlier. Honeywell has not released a patch, but recommends upgrading to the latest version through authorized representatives. No known public exploits exist for this vulnerability.

What this means

What could happen

An attacker with local access to an INNControl 3 system could escalate privileges within the application, potentially allowing unauthorized changes to building control settings, alarms, or system configurations that operators depend on.

Who's at risk

Facility managers, building operators, and HVAC technicians who rely on Honeywell INNControl 3 for controlling heating, cooling, and ventilation systems in commercial buildings, schools, hospitals, and other facilities. Anyone with local or remote access to systems running INNControl 3 version 3.21 or earlier is at risk if they have low-privilege accounts.

How it could be exploited

An attacker with a low-privilege user account on the INNControl 3 system could exploit a privilege escalation flaw to gain administrative rights within the application. This could be chained with other vulnerabilities or misconfigurations to alter HVAC setpoints, disable alarms, or modify access controls for building systems.

Prerequisites

Local access to an INNControl 3 system (physical or via remote desktop with valid user credentials)
Low-privilege user account credentials
System running INNControl 3 version 3.21 or earlier

Local exploitation only (not remotely exploitable from the internet)Requires valid user credentialsLow complexity attackNo patch available from vendorAffects building comfort and safety system controls

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

INNControl 3:≤ 3.21No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable all unnecessary user accounts and services on INNControl 3 systems

HARDENINGRestrict physical and remote access to INNControl 3 systems to authorized personnel only (engineering staff, building operators)

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXContact Honeywell INNCOM sales representative or authorized systems integrator to assess and plan upgrade to the latest INNControl 3 version

HARDENINGImplement least privilege principle: grant users only the minimum INNCOM roles and permissions needed for their job function

CVEs (1)

CVE-2020-6968

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b62a6205-3c91-42b5-a378-89e7b8d2ffb7