Honeywell Experion PKS and ACE Controllers

Act Now10ICS-CERT ICSA-21-278-04Oct 5, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple remote code execution and denial-of-service vulnerabilities exist in Honeywell Experion PKS C200, C200E, C300, and ACE controllers affecting all versions. The vulnerabilities include arbitrary file upload (CWE-434), improper neutralization/injection (CWE-74), and relative path traversal (CWE-23). Successful exploitation could allow an attacker to execute arbitrary code or cause denial of service on affected control systems.

What this means

What could happen

An attacker could execute arbitrary code on Experion and ACE controllers, potentially altering process parameters, stopping operations, or causing denial of service. This affects critical infrastructure control systems that manage physical processes.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using Honeywell Experion PKS (Process Knowledge System) or ACE (Automation Control Engine) controllers for process control. These systems manage SCADA functions, DCS operations, and real-time process monitoring in treatment plants, distribution networks, and substations.

How it could be exploited

An attacker with network access to the Experion or ACE controller can exploit file upload or code injection vulnerabilities (CWE-434, CWE-74, CWE-23) to upload malicious files or inject commands. No authentication is required, and exploitation is straightforward once the controller is reachable.

Prerequisites

Network access to the Experion or ACE controller on the network
Reachability to the controller from the attacker's location (no internal network segmentation required for exploitation)

remotely exploitableno authentication requiredlow complexityno patch availablecritical CVSS (10.0)affects control systems with physical impact

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

C200: All versionsAll versionsNo fix (EOL)

C300 and ACE controllers: All versionsAll versionsNo fix (EOL)

C200E: All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGImplement network segmentation: Place Experion and ACE controllers on an isolated control network with a firewall boundary to the business network and the Internet.

WORKAROUNDDisable or restrict remote access to controllers unless absolutely necessary; if remote access is required, use a VPN with strict access controls and keep VPN software current.

HARDENINGImplement firewall rules to deny inbound access to Experion and ACE controllers from the Internet and untrusted networks.

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: C200: All versions, C300 and ACE controllers: All versions, C200E: All versions. Apply the following compensating controls:

HARDENINGReview and apply Honeywell Experion Network and Security Planning Guide (reference SN2021-02-22-01) security hardening recommendations.

CVEs (3)

CVE-2021-38397 CVE-2021-38395 CVE-2021-38399

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/aa4e44da-dfa5-4836-a94e-1f62d4ac567f