Honeywell Experion PKS, LX and PlantCruise

Act Now9.8ICS-CERT ICSA-23-194-06Jul 13, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Honeywell Experion PKS, LX, and PlantCruise platforms (versions before R520.2) allow remote code execution, privilege escalation, and denial-of-service attacks. The vulnerabilities have a CVSS score of 9.8, require no authentication, and can be exploited remotely with low attack complexity. Buffer overflow, improper input validation, and insecure deserialization issues affect these critical process control platforms.

What this means

What could happen

An attacker could remotely execute arbitrary code on the Experion platform without authentication, potentially altering process setpoints, disabling alarms, stopping operations, or exfiltrating sensitive configuration and control data. The platform could also be rendered unavailable through denial-of-service attacks.

Who's at risk

Water authorities and electric utilities using Honeywell Experion PKS, LX, or PlantCruise for process monitoring and control should treat this as critical. These platforms typically manage SCADA data, alarms, and operator interfaces for water treatment, pumping, and power generation. Any facility running these products before version R520.2 is at risk.

How it could be exploited

An attacker on the network (or Internet if Experion is exposed) sends a specially crafted message to the Experion platform exploiting buffer overflow or deserialization flaws. Since no authentication is required and attack complexity is low, the attacker can gain immediate code execution and control process behavior or shut down the system.

Prerequisites

Network access to the Experion platform (port/service varies by platform type)
No valid credentials required
Experion version prior to R520.2 installed

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects process control systemscritical severity

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Experion PKS: < R520.2< R520.2R520.2

Experion LX: < R520.2< R520.2R520.2

Experion PlantCruise: < R520.2< R520.2R520.2

Remediation & Mitigation

0/5

Do now

0/3

HOTFIXUpgrade Experion PKS, LX, and PlantCruise to version R520.2 or later

HARDENINGRestrict network access to Experion platforms—place behind firewalls and isolate from business networks and Internet

HARDENINGImplement least-privilege access controls to limit who can log in to and modify Experion configurations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGSecure backup files in a protected network location or physical drive with access restricted to authorized personnel only

Long-term hardening

0/1

HARDENINGIf remote access is required, use a secure VPN and ensure the VPN is kept current with security patches

CVEs (9)

CVE-2023-23585 CVE-2023-25078 CVE-2023-25948 CVE-2023-26597 CVE-2023-24480 CVE-2023-25770 CVE-2023-25178 CVE-2023-22435 CVE-2023-24474

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f5ab82c3-c38f-44b2-a7d8-b4e4fdb17bfa