CVE-2021-38399

Honeywell Experion PKS and ACE Controllers Relative Path Traversal

Description

Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to relative path traversal, which may allow an attacker access to unauthorized files and directories.

Remediation

Workaround:

Honeywell recommends users follow all guidance in the Experion Network and Security Planning Guide to prevent attacks by malicious actors. Additional information can be found in Honeywell Support document SN2021-02-22-01.

References

Link	Tags
https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04	third party advisory us government resource
https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf	product

Frequently Asked Questions

What is the severity of CVE-2021-38399?: CVE-2021-38399 has been scored as a high severity vulnerability.
How to fix CVE-2021-38399?: As a workaround for remediating CVE-2021-38399: Honeywell recommends users follow all guidance in the Experion Network and Security Planning Guide to prevent attacks by malicious actors. Additional information can be found in Honeywell Support document SN2021-02-22-01.
Is CVE-2021-38399 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2021-38399 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-38399?: CVE-2021-38399 affects Honeywell Experion PKS.

Description

Remediation

Categories

CWE-23 – Relative Path Traversal

CWE-22 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

References

Frequently Asked Questions