Honeywell WIN-PAK

Plan Patch8.1ICS-CERT ICSA-20-056-05Feb 25, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

WIN-PAK versions 4.7.2 and earlier contain multiple vulnerabilities (CWE-352 cross-site request forgery, CWE-644 improper authentication, CWE-477 use of deprecated functions) that allow remote code execution over the network without authentication. The vulnerabilities require high skill level to exploit. Honeywell has not released a patch; the recommendation is to upgrade to 4.7.2 B1072.3.4 (if available) or isolate affected systems from Internet access. No public exploits are currently known.

What this means

What could happen

An attacker could execute arbitrary commands on a WIN-PAK server over the network, potentially allowing them to modify security system settings, disable alarms, or interfere with access control operations.

Who's at risk

Security and access control integrators, facilities managers, and enterprises using Honeywell WIN-PAK for building security systems, access control, and intrusion detection should prioritize this vulnerability. Affects all installations running WIN-PAK version 4.7.2 and earlier.

How it could be exploited

An attacker with network access to the WIN-PAK web interface could exploit a cross-site request forgery or authentication bypass vulnerability to bypass security controls and execute arbitrary code on the server. No public exploit is known, but the vulnerability is exploitable by someone with high skill level.

Prerequisites

Network access to WIN-PAK web interface (port 80/443)
No credentials required
Ability to craft malicious requests or social engineer users to visit malicious links

Remotely exploitableNo authentication requiredHigh CVSS score (8.1)No patch available (end-of-life product)Affects security systemHigh skill level required to exploit

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

WIN-PAK: 4.7.2 Web and prior versions≤ 4.7.24.7.2 B1072.3.4

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate WIN-PAK systems from direct Internet access or place behind a firewall/DMZ

HARDENINGImplement VPN or secure remote access mechanisms if remote connections to WIN-PAK are required

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate WIN-PAK to version 4.7.2 B1072.3.4 or later from Honeywell Mywebtech portal

Long-term hardening

0/1

HARDENINGTrain users not to click unsolicited links or open attachments in email, as social engineering may be used to target WIN-PAK administrators

CVEs (3)

CVE-2020-7005 CVE-2020-6982 CVE-2020-6978

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/28497887-c2d9-45fc-b31d-044ae44e37cb