Product Security
MENU
Product Security Incident Response Team (PSIRT)
The goal of our Product Security Incident Response Team (PSIRT) is to minimize customers’ risk associated with security vulnerabilities by providing timely information, guidance and remediation of vulnerabilities in our products, including software and applications, hardware and devices, services and solutions. This team manages the receipt, investigation, internal coordination, remediation and disclosure of security vulnerability information related to Honeywell offerings.
We take security concerns seriously and work to quickly evaluate and address them. Once a security concern is reported, we commit the appropriate resources to analyze, validate, and address the issue.
Product Security Incident Response Workflow
Discovery Phase
Reporting a Potential Security Vulnerability
We welcome reports from independent researchers, industry organizations, vendors, and customers. To find out more information on how to report a potential vulnerability, please visit Vulnerability Reporting.
Bug Bounty Program
At the moment, Honeywell does not participate in a bug bounty program or provide any monetary incentives for discovering vulnerabilities. Honeywell does recognize reporters and security researchers on our public acknowledgement page.
Triage Phase
In this phase, an incident owner is assigned to the case.
Analysis Phase
The analysis phase entails assessing and validating the security concern by conducting thorough analysis.
Common Vulnerability Scoring System (CVSS)
We use the Common Vulnerability Scoring System version 3.1 (CVSS v3.1) to evaluate the severity level of identified vulnerabilities. This enables a common scoring method and a common language to communicate the characteristics and impacts of vulnerabilities and allows responders to prioritize responses and resources according to the threat.
Severity rating scale as shown in the table below:
Security Impact Rating | CVSS Score |
Critical | 9.0 – 10.0 |
High | 7.0 – 8.9 |
Medium | 4.0 – 6.9 |
Low | 1.0 – 3.9 |
When and where applicable, Honeywell will provide the CVSS v3.1 Base Score.
We recommend consulting a security or IT professional to evaluate the risk of your specific configuration and we encourage users to compute the environmental score based on their network parameters. We also recommend leveraging a security or IT professional’s assessment of the issue to prioritize responses in your own environment.
Different base scores
There may be instances where NVD’s score and Honeywell's score may differ. If so, this is because as owners of the product we are able to account for configurations, build, and other nuisances of the product. In the event the score differs, please use the Honeywell base score.
Disposition and Communication Phase
Remediation timelines will depend on many factors, including: the severity, the product affected, the current development cycle, QA cycles, and whether the issue can only be updated in a major release.
Remediation may take one or more of the following forms:
- A new release
- A Honeywell-provided patch
- Instructions to download and install an update or patch from a third-party
- A workaround to mitigate the vulnerability
Notwithstanding the foregoing, we do not guarantee a specific resolution for issues and not all issues identified may be fixed.
Communication and Notification
At this point in time a communication plan is determined. Below are various forms of communication.
Forms of Communication | Description |
Security Notice | May be released to notify customers when a vulnerability is fixed. |
Product Release Note/Update | Release notes may be used to communicate a launch of a new software/hardware product or a product update and may include latest changes, feature enhancements, or bug fixes/patches. |
CVE Records | Records are released to inform stakeholders about specifics regarding the vulnerability discovered. The records may include information such as Common Vulnerability Enumeration (CVE) ID number, description of the security vulnerability, and references associated with the vulnerability such as vulnerability reports and advisories. |
Media Statements | May be used to address any Honeywell related news or incidents. |
End of Service Life Notice | An EOSL notice may be released to inform a Honeywell customer that the product will no longer be supported or sold. |
Disclosure Phase
Notifying Customers of Vulnerability
We take responsibility to ensure that our customers are notified, when necessary, in an efficient manner. Most communication will be posted after patches or workaround has been released on our Security Notice site.
We will not provide additional information about the specifics of vulnerability or how to reproduce. We do not distribute exploit or proof of concept code for identified vulnerabilities.
In accordance with industry practices, we do not share our findings from internal security testing or other types of security activities with external entities. It is important to note that any unauthorized scan of our services and production systems will be considered an attack.
Coordinated Vulnerability Disclosure
Coordinated Vulnerability Disclosure (CVD) is indeed a crucial process in managing and mitigating vulnerabilities in hardware, software, and services. Honeywell's approach to CVD involves engaging with various stakeholders such as partners, vendors, researchers, and community coordinators to ensure that newly discovered vulnerabilities are disclosed in a controlled and coordinated manner. Multi-party coordination is essential because it helps in understanding the different parties' vulnerability disclosure policies, handling policies, and contractual agreements, which in turn fosters trusted communication and collaboration.
By increasing transparency between parties, vendors can better understand and manage the risks posed by vulnerabilities. This transparency also facilitates engagements with other parties, ensuring that everyone involved is on the same page. The primary aim of CVD is to provide timely and consistent guidance to all parties and customers, helping them protect themselves effectively.
Honeywell follows a similar approach to CVD. They encourage independent reporters who discover vulnerabilities to contact them directly, allowing Honeywell to investigate and remediate the vulnerabilities before they are publicly disclosed. The Product Security Incident Response Team (PSIRT) coordinates with the reporter throughout the investigation and provides updates on progress. Once an update or mitigation information is publicly released, the reporter is welcome to discuss the vulnerability publicly.
This process not only helps in protecting customers but also ensures that public disclosures are coordinated appropriately, and reporters are acknowledged for their findings. If a reported vulnerability involves a vendor product, the PSIRT will notify the vendor directly, coordinate with the reporter, or engage a third-party coordination center.
For more information on CVD, please review the information provided in the following links:
Report a Vulnerability Issue
We encourage coordinated disclosure of security vulnerabilities. Security researchers, industry groups, government organizations and vendors can report potential security vulnerabilities to Honeywell by choosing one of the two vulnerability types in the form below or by emailing us with below details mentioned.
If the vulnerability affects a product, service or solution, email us at PSIRT@honeywell.com, with the following instructions/details:
- Please encrypt using Honeywell’s public PGP key (see PGP Key page) and include the following:
- Product and version
- Description of the potential vulnerability
- Any special configuration required to reproduce the issue
- Step by step instructions to reproduce the issue
- Proof of concept or exploit code, if available
- Potential Impact
For all other security issues, email us at Security@honeywell.com with the following instructions.
- Please encrypt using Honeywell’s public PGP key (see PGP Key page) and include the following:
- Website URL or location
- Type of vulnerability (XSS, Injection, etc.)
- Instructions to reproduce the vulnerability
- Proof of concept or exploit code, including how an attacker could exploit the vulnerability
- Potential impact
PGP Key
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGd9hOwBEADMjbVEqCfesFbIgEJg48jdZ4gtNXu7RQWRkPY8L2OStdEV+/Ju 8lqdeq9SmtnX5HX34MweRxyI198KSvdzGZoCyCV/GHs2XE+WLbmSW/b1fytvzMw/ NxuflLiTKY0Yyz6Y67Fx4AIczrGeRNKALEsB3snei3X/WHFdTJ8Dq9fqBeDTxjb7 8jk9WkWb/Oi7FsAOv3KMdS/Zs+SlfuYmR8OOQ1v05ODRjKyS2ng25sMphAej2KlY 2N0HWqblvqIHsHQbAammxH5gaMvSbKuPQ7MgjpUrP4TO7u0DdP/OY97OJM8u9tcg VyaiAF1CuIYmr8CpvmbmaVMOK6RgGqOrYdy14RjrjrgLJTmTwjzfLAfd+oR4QlSL tlVgiM8wK6ehVQ5AO1OQnwBw6YujOON9fCSt1HGaPKofi1iB35G5VNUJRV4H1+2o L66rjIBHLK5if4587hqWg66l36lnyJxnqYY0JhN5ioAJcee9k2Tzqyvk2XGEBVvX ZgtEwce2l4aSYB5yNMNRkO6qVVg1BbMK6uS9bl+dcw9CvWQsjF0u0NP6kyQow2ci yU6rmKtuEuUhUHBpNq4qmIbIU0WJiLLzqUP9ipMvf885WNfdFdVZkAvzOCzFsgW3 d+ll90UEcEl97Zi8qC7uepTfV/BPjKAeHDhRMumexd9imz9nEqlNfU3LNwARAQAB tCtIb25leXdlbGwgU2VjdXJpdHkgPFNlY3VyaXR5QEhvbmV5d2VsbC5jb20+iQJX BBMBCABBFiEEm3//z1146f4I+tK0dj5q1cmHq0AFAmd9hXkCGwMFCQeGHukFCwkI BwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQdj5q1cmHq0CKlw//S5g6N8ZuwNpW VPIb0DpS4/HSLguRodKfrAahgtE6d6giwNKAsXvtHnTn3DpWz1ISyzYC8EeWsNqW 6tO9rvlcN2Frg5MD5OIWpnOE54eDTt/pxH9iE0M8dKzs49CgFiiBGZjUrW+GcYHm O6nRL6oU2gBwqzVpWpPx7i0Vr4f7R01ABVolBYteCSW0dofWKF3dl2Oh1Hek6dkV Dd3gjyP/UEflum1OvGdiARy8d5u9MJDA9Gxh7Mpcf2Ch/WAfaIIIGGQInveiJCqx +w1C/G4E8P1v4ejO44+CZHxFmEc40fpUXr1azFTXiORjXsDEfSrxty9/MEbQ38p2 v/m72DLL+0kyMgovx87vAUaikDRo7EhuA1rK4XgH9oohf08aYUobC3BbSLYnulId OGHx0fstY3dDSM0Hg7l19XwTBmx/rK5QN7/ksmWn8mjCi1jonrHGtdEMPyDOEkLO KtYsyvECibbXNKegUP2T4eQC0iiNWYg5TprCcs+Ym7lFeV1i7wDJX/aYEVQ/nkNo pk7asIJ0Ho6xuuGsSd25quGu3uDVt69O4NCCrTNxJkmE+iytp1EqcwQzx/qnz9GF EtO+AZ089Tuq7SLtvIjq2dfgRWN+cV8Zu4a5cE9+zZXInmeFffwmE31i/Cwmo2b8 l+QcN6AWPSSK+Tno4ISP0xDMIzl/Cki0JUhvbmV5d2VsbCBQU0lSVCA8UFNJUlRA aG9uZXl3ZWxsLmNvbT6JAlcEEwEIAEEWIQSbf//PXXjp/gj60rR2PmrVyYerQAUC Z32E7AIbAwUJB4Ye6QULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRB2PmrV yYerQOKoD/49tsvcfxGrY5LNISTkFHXFhngzI4yLmgM6/y9vInJ8B9mTYk9SAEfb sC8IbJ9yDQWXboXqYkmlBBX7mcJVCTaabojedLwrCrjrkCSeCseOX/UzB92rejS1 V3nA6gY99otY+nvKhUgDo8masiqvcx8n3XMIcHZrjOEIyik1T/vv68QkfVksFFbj u0QAsoDSeZerBc+k3ui29hBg5EEhjSYhGKdRejhTgi9xEi1E+9NrF6EPirCf+IZJ uDkRxfSTangae8cuEIcrWI6ckf45YtzFwkG43Y8fMkLibmb0F+DLYF5HCandMRKC W5MLshjvFf7iE3FlkAbsUtTDmiEKT3BBw1Apkz9+yIwROxPJIbatYKepzAKsgagQ GfWhBXQYojdlbXZJy8WyIYVkXwEp/MjH2pDhHFWmLGWz8JeFHxRSEqoOdw/JVa0I mOM3U1lVqtzp0U0b7P53b74EYNPMCaIhIXmKSBPKnqgv36UrW+RZuwu7x/eZU4V4 lMm9iS7zCqyS/PXzuIDqpPpeVBBNyQa7zeB4L9PrsBZE0dTOlODoGZ1Od5zZwP0G bu5lW5AE/Zq0BeO/78pfL/4KuAypNClz6pIQU5lKI9LkrtQbns6TQML0tGKBdSaM SZeC/ONM8AXAxDNQWgOTvvxuB80Un6PP5qHUat685AsLsNkOceL9VbQjSG9uZXl3 ZWxsIENJUlQgPENJUlRASG9uZXl3ZWxsLmNvbT6JAloEEwEIAEQCGwMFCQeGHukF CwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AWIQSbf//PXXjp/gj60rR2PmrVyYer QAUCZ32FtAIZAQAKCRB2PmrVyYerQNt2D/93Y/6ERjpFdDsE55XfSTokliDsLRAj TYxnQVSJvar4LTSlbWxUUsGkGNGoI3soCbXHztRBbidiy1RYfqe5T39GR4cY5wjY azAsqKbdqUZNRWOgrNyEcBxPCHoj3PGw653pdXP807y/WlDrZ2LW74Wu5ubeRvz6 qkSuTN8tBHJct59OMZIrvVzEhGGNBCHMhexzDPeE8hIsy6q7Xm4ENYaYiYEaxgGG i3dkNUAM2460ep3G4qev+99qqMTO+lSaOCXM2smfG3Vx67x9bxW68xGShejYbaWP ig+ArMEcuKDt15OXW2agVy0EFw+u4zmKqNWhMLXTXXXCqAtiEeccHKeBQR6oOyuN xH+rqhLmjtwW+QJCogfUdlSyH0f15ccrVXWx6FsTa1BYWVXOGMA62MiDeI5TY7Iz Lm+f24eTAFFV0qXiFepERLTKKBrKzqbkB3+8RBsUv6EncA5wZBc7c3VyexNm3ahF a4k7RnRrV/hgtNbACzYEHcAXEJ5LHFPmpa4czjMO2kqLlN9H1kL90dHGlm0UFAuR GzZcItp2xTEYXdGLf7YRNi6sT/8CEMKSLAgOleZ8+mDD57XKL6L1AaTuLP+UkYcC 24EH/hcYvIh0wzjUaeQmuJIu866TlvYjUgZW1kmptqCJAQWeAgcSCUxpFwZF2Zxv 7G17/59tV3XIkbQlSG9uZXl3ZWxsIEFidXNlIDxBYnVzZUBIb25leXdlbGwuY29t PokCVwQTAQgAQRYhBJt//89deOn+CPrStHY+atXJh6tABQJnfYVrAhsDBQkHhh7p BQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEHY+atXJh6tAiBEP+weuHOiO nc6sp0ifddx3unwSgGf4mJ7AHbC7R5IK4LOZ3mgwhiqZBtdwichJYbRfBTFgmqrv 2vUFVuY8xjfPS07xX1uMM3R2cY/37/4MguUrma40FohjkuUI4jsMYYpLJOm1HRRl rg/GJjzmQtwxDZkgwlOPG64TEGqqbYX1jR4PRpDRRGAc45j+RW5RkvFNGcUxGGil 9NMUPJ5inTPd5zBfuucZHrqmNfbucoYClBAm7IAyvagzn3yMOza25hzeXk0YH43q znsnekwdAnbjp0haxVEunzaivrzFHa03RS+YUJrLSY65NKWUiRMjo4w6klcVq7Vs xsbM3rEkLeWb213gGGcVQ7swAsUYVu4YFPuXrlZQspU7vKnKRaCRwArYGN30dQcV sXcE/s/bDUcELezdUUHHmfW/LDRivcxP/Hi3bDiB2dN3J53a+HgMUAuGShebtKCs j8KurgoL9DQ14k32tr39uEgavayZXTsk3q9KkMkP9DwpMPj9T0Lq+Vx7W4sNzP5i TMOLPMXW4KwxhdstT8ktwQcV9bU1QLoVnN4g4JC5fefhAtDxdBcf+hLhJmjmCas8 CbcgaVQevw18H4duaBiwpfhrHmzXhPt/62M3jDJ6Yb2ruhLsZfkKHvYNJQYJYOQZ /D4Juh3foGh8j+jLnBcEvMRdvTHTh2rH5d4EuQINBGd9hOwBEAC6Aj843QiAMatT dit4DqWaCL54FIUSc12OmiHq1AvFu4bM8BmbQk+BSTvOlhuY0gvT1X8nZStR3kPO XeVUVF6kwqd6QdXQDgvO0KhRMEVCrH97ex+Kosj0hJyoFQ8c0+gmmLc/uze4T3be KQpcrg5rdSv92dj4lxhHDi8aCD2SmUqYcFHfsFIQQt5tg8mMSNs6DpJEZwjNZ18I CDt3u86TcZF6Eu+RUvGqUY1UPjAHAmA5lMHVv33nWcP6NertqcW3la+ybvRSsixY yPRjKjE9Q8aSyBXZehic3oI6JudQQD9cNmgTn0m1zSZaRJkNaaSnJngyqfUWUO9s jeb/DTq9qKfyFe1omHtMD4fOEKnZmMZHAXChIEIwokpIYrC91LYri4g82X+I9idc oG99z6o6xz64BHcwPMjRZ5n6SAXnl73yyc78EdQ6nmoAjMURoGugYh/oCLNJ4OqC GYjubUq9TZyRZJ62G4J/70/ZwqT4USAH40BGC3yM9mHAiP9naHWwQtDzTblQ4wnT l9CyPpwwk2NP2M9jhsBJ+AQebs7Ir+gGi0g0qOzs/pLAZ8wJmeYBQaRrIipsoEmK vJVKa4e4908Djyz4Zni9jBtaNU5brma9Sw9juWLrYLANlqaxbDKpSXPwsXRzxwg3 qJV1+A+sUBWvapE+Ip1lil3lm+anJwARAQABiQI8BBgBCAAmFiEEm3//z1146f4I +tK0dj5q1cmHq0AFAmd9hOwCGwwFCQeGHukACgkQdj5q1cmHq0AxgRAAunAHTNhi uHSAXOl+lX5s1X6hk5THGiC4KH2sTtRAlx8IADZPD8qcpmbf1mM6LHIfHA0zbor8 BZ2TdNhmkticy94IZPifogRz97rih3+2Qh/xEHpX5K8RMuYIco+kyiEYXS0AbZ7m 6AwUEMcKf1hKCqnh+jw0HxnTyQ3u0ExvutWsZujh3jGQBKimEZyjamxeoPt7jQsW l5T1aJxsMEDMmEYQgBVSlKMbek3Gv9h1iG9KvYY2T83t41e5S5+IO+Zbg9eBx7Pt PEOSFz4L6YbFOK2sqAeTX9qita2Uu86abgexxysqyp7aD9gFZ+7PsN8yUnRn9pVX w4k3j5xxRbTmd5zTMMHjuWjpMHR6amcbpqd1crw7EgdyldU6HifHH9OOfekkz4b9 RaDg4oNcS1l+cwtJMoMoUfrVg6yz8+kq4Fe/pVZMKMkB4KALQuYtDhRibsO8IxVO upGlswZtV1BeccUEeBTfYFeNbrm6zfpvhE+6NG8rg9i5awrr6lc4+8AmAGB6IuhK jGQCSzC3mwfRxLzaTnqhsSPO1HahYyAsOsK4gbtAUyNa7U9bRcvb5aUmRA5gTQKJ BGFx7fcVRqsIden/G3eEfZTxUT1rbYbBitaNyDMPcec3bCRg3d3aVxnQvCqons8/ 7r09DvoCJxqTZSDCvM0IapvGqBhJyH4HVlc= =4ddc
-----END PGP PUBLIC KEY BLOCK-----
Acknowledgments
We would like to acknowledge all individuals who have reported a vulnerability in our environment. We are grateful for these security researchers who help keep us secure.
REPORTERS NAME | ASSOCIATION LINK | |
---|---|---|
Abian Blome | https://www.siemens-energy.com/ | |
Alexander Heck | https://www.linkedin.com/in/alexander-heck-b11b29b | |
Dawid Lenart | https://pl.linkedin.com/in/dawid-lenart-a28a48143 | |
Eaton Zveare/Traceable ASPEN | https://www.linkedin.com/in/eatonz | |
Felipe Gabriel Renzi | linkedin.com/in/felipe-gabriel-renzi | |
Lockheed Martin Red Team | ||
Michael Messner | https://www.siemens-energy.com/ | |
Mohammed Alotibi | https://www.linkedin.com/in/mohammed-a-73790a17a | |
Nikhil Rane | https://www.linkedin.com/in/nikhil-rane-31733a217/ | |
Pavel Sushko | https://www.linkedin.com/in/pavel-sushko/ | |
Rahul Ramakant Singh | https://www.linkedin.com/in/rahul-singh-5604b1135 | |
Qusai Alhaddad | https://www.linkedin.com/in/qusaialhaddad | |
Sagar Yadav | https://twitter.com/sagaryadav8742 | |
Shivani Gundluru | https://www.linkedin.com/in/shivani-gundluru-a45b43212 | |
Tushar Jaiswal | https://linkedin.com/in/the-tushar-jaiswal |
REPORTERS NAME | ASSOCIATION LINK | |
---|---|---|
Digant Prajapati | https://www.linkedin.com/in/digant-prajapati/ | |
Foysal Ahmed Fahim | https://www.linkedin.com/in/foysal1197, https://twitter.com/foysal1197 | |
George Gkanidis | https://twitter.com/Jocker_RL | |
Girish B O | https://www.linkedin.com/in/girish-b-o-a410bb1bb, https://twitter.com/Girishbo05 | |
Mahmoued Elhussiny | https://www.linkedin.com/in/mahmoued-elhussiny-aa9b5881/ | |
Nikhil Rane | https://www.linkedin.com/in/nikhil-rane-31733a217 | |
Pavel Marko | ||
Rakan Abdulrahman Al-Khaled * | https://www.linkedin.com/in/rakan-al-khaled | |
Roshan Zameer | https://www.linkedin.com/mwlite/in/roshan-zameer-97a8531b9 | |
Suprit S Pandurangi | https://www.linkedin.com/in/suprit-pandurangi-a90526106 |
REPORTERS NAME | ASSOCIATION LINK | |
---|---|---|
Aniket Anil Deshmane* | https://twitter.com/AniketDeshmane9?s=08 | |
Armanul Miraz | @mirazdevox | |
Ben Leonard-Lagarde | ||
Carl Dworzack | ||
Danish Tariq | https://www.linkedin.com/in/danishtariqq/ | |
Harinder Singh | https://www.linkedin.com/in/lambardar | |
Husain Murabbi (cyber_humans) | https://www.linkedin.com/in/husain-murabbi-cyberhumans/ | |
Joel Sanchez | https://www.linkedin.com/in/joel-sanchez-199b79123/ | |
Joost Bakker | BovenIJ ziekenhuis | |
Martino Tommasini | ||
Mansoor Rangwala (cyber_humans) | https://www.linkedin.com/in/mansoor-rangwala-cyberhumans/ | |
Netan Mangal* | https://www.linkedin.com/in/netanmangal | |
Pratik Sunil Tryambake | ||
Rajnish Kumar Gupta | https://www.linkedin.com/in/geekyrajnish | |
Rick de Jager | https://github.com/RickdeJager | |
Swapnil Maurya | @swapmaurya20 | |
Thilo Mohri | https://www.linkedin.com/in/tmohri/ | |
Todd Heflin | www.linkedin.com/in/taterbrown | |
Tracy Williams | https://www.linkedin.com/in/battletroll/ | |
Vinayak Chaturvedi | https://www.linkedin.com/in/vinayak-chaturvedi-348b071a1 |
REPORTERS NAME | ASSOCIATION LINK | |
---|---|---|
Alberto Perez Agudo | ||
Athul Jayaram | https://www.linkedin.com/in/athuljayaram | |
Dominique van Dorsselaer | ||
GwanYeong Kim | @sec_karas | |
Jan Kopriva | https://www.linkedin.com/in/jan-kopriva/ | |
Mohammed Adam | https://www.linkedin.com/in/mohammedadam24/ | |
Rahul Gamit | https://www.linkedin.com/in/rahul-gamit-54a93a188/ | |
Ramkumar Ganesan | https://www.linkedin.com/in/ram-kumar94 | |
Ronak Nahar | https://www.linkedin.com/in/naharronak/ | |
Sreekanth Reddy | https://twitter.com/sree_appsec | |
Sumit Grover | @sumgr0 |
REPORTERS NAME | ASSOCIATION LINK | |
---|---|---|
Abhishek Misal | http://www.linkedin.com/in/abhishek-misal | |
B. Dhiyaneshwaran | ||
Bill Ben Haim |
https://www.linkedin.com/in/bill-ben-haim-b6775a48/ | |
Kapil Kulkarni* |
https://www.linkedin.com/in/kapil-kulkarni-oscp-ceh-chfi-5a333763/ | |
Mohamed Hamed | https://www.linkedin.com/in/mohamed-hamed-239378163/ | |
Nitish Shah | https://twitter.com/iamNitishShah | |
Pethuraj M | https://www.pethuraj.in/ | |
Udhaya Prakash C* | @Udhaya_ISRO | |
Utkarsh Agrawal | https://twitter.com/agrawalsmart7 | |
Vijiln | @vijiln |
* Indicates multiple submissions
Below is a list of published Honeywell Security Notices. Honeywell recommends following the guidance provided in these Notices regarding mitigations to described security issues.
If you are a customer looking for Security Notifications regarding Honeywell Process Solutions (HPS) products, please click here.
Title/ SN ID # | Affected Product/Product Family | CVE/ICSA | Severity | Published | Last Updated |
Asure ID Software Removal 2024-07-01 01 |
Niagara EntSec from 4.10u8 and 4.13u3 | NA | NA | 2024-07-01 | 2024-07-01 |
Niagara libwebp Vulnerability 2024-01-09 01 |
Mulitple Niagara Framework, Niagara EntSec versions | CVE-2023-4863 | Medium | 2024-01-09 | 2024-07-01 |
Spring4Shell NO IMPACT 2022-04-09 01 |
Niagara Framework and Niagara EntSec | CVE-2022-22963 | NA | 2022-04-09 | 2023-05-31 |
Niagara MQTT Driver Vulnerability 2022-03-14 01 |
Mulitple Niagara Framework, Niagara EntSec versions | NA | Medium | 2022-03-14 | 2023-05-31 |
Niagara Hx Profile Vulnerability 2022-02-11 01 |
Mulitple Niagara Framework, Niagara EntSec versions | NA | Medium | 2022-02-11 | 2023-05-31 |
Niagara log4j NO IMPACT 2021-12-13 01 |
Niagara Framework and Niagara EntSec | CVE-2021-44228 | NA | 2021-12-13 | 2021-12-13 |
Niagara QNX BadAlloc, Privilege Escalation, and JxBrowser Vulnerabilities 2021-09-09 01 |
Mulitple Niagara Framework, Niagara EntSec versions, and QNX based products | CVE-2021-22156 | Medium | 2021-09-09 | 2021-12-13 |
Niagara JNLP/Web Start Vulnerability 2021-03-31 01 |
Mulitple Niagara Framework, Niagara EntSec versions | NA | Medium | 2021-03-31 | 2021-12-13 |
Niagara TLS Timeout Vulnerability 2020-07-28 01 |
Niagara 4.6, 4.7, 4.8; Niagara EntSec 2.4, 4.8 | CVE-2020-14483 | Medium | 2020-07-28 | 2020-12-21 |
Niagara Ripple20 NO IMPACT 2020-06-30 01 |
Niagara JACE-8000, Edge10 | ICSA-20-168-01 | NA | 2020-06-30 | 2020-12-21 |
Niagara JRE and Bouncycastle fixes 2020-02-26 01 |
Niagara AX 3.8, Niagara EntSec 2.3 | NA | NA | 2020-02-26 | 2020-12-21 |
Niagara QNX Vulnerabilities (Niagara Software) 2019-08-27 01 |
Niagara AX 3.8u4, Niagara 4.4u3, Niagara 4.7u1 | NA | High | 2019-08-27 | 2020-07-06 |
Niagara QNX Vulnerabilities (Niagara EntSec Software) 2019-08-23 01 |
Niagara EntSec Products | NA | NA | 2019-08-23 | 2020-07-06 |
Niagara Chromium Vulnerability 2019-05-09 01 |
Niagara 4.4u2, 4.6, 4.7 | CVE-2019-5786 | High | 2019-05-09 | 2020-07-06 |
Niagara Framework Guidelines | Niagara Framework Products | NA | NA | 2019-05-10 | 2020-07-06 |
Niagara Cross-Site Scripting Vulnerability 2018-11-12 01 |
Niagara AX 3.8u4, Niagara 4.4u2, Niagara 4.6, Niagara EntSec 2.3u1 | NA | Medium | 2018-11-12 | 2019-02-05 |
Update Release for Niagara AX and Niagara 4 2018-06-01 01 |
Niagara AX 3.8, Niagara 4.4 | NA | NA | 2018-06-01 | 2019-02-05 |
Tridium Wi-Fi WPA/2 Protocol Vulnerabilities 2017-10-16 01 |
JACE 8000, Jace 700 | 10 CVEs | High | 2017-10-16 | 2018-08-06 |
Goldeneye/Petya, WannaCrypt/WannaCry Resource | All Niagara Products | Multiple | High | 2017-05-01 | 2018-08-06 |
Niagara Hardening Guide Against WannaCry Vulnerabilities | Niagara Framework and Niagara EntSec | Multiple | High | 2017-05-01 | 2018-08-06 |
Niagara POODLE SSLv3 Vulnerability 2014-10-21 01 |
All Niagara Products | CVE-2014-3566 | Critical | 2014-10-21 | 2018-08-06 |
Tridium Shellshock Vulnerability NO IMPACT 2014-09-30 01 |
All Tridium Products | NA | NA | 2014-09-30 | 2018-08-06 |
Tridium Heartbleed Vulnerability NO IMPACT 2014-04-10 01 |
All Tridium Products | NA | NA | 2014-04-10 | 2018-08-06 |
MPA2 Web Application XSS 2024-03-08 01 |
MPA2 vR1.00.08.05 | CVE-2023-1841 | High | 2024-03-08 | 2024-03-08 |
HW OmniClass/iClass Encoder Secure Channel Downgrade 2024-01-31 01 |
HW OmniClass 2.0 Contactless Smart, Multi-Technology, and BLE Readers, HID iCLASS® SE™ CP1000 Encoder, HID® iCLASS® SE™ and OMNIKEY® Secure Elements, Third-party products that use HID’s OEM module for reading HID cards | CVE-2024-23806 CVE-2024-22338 |
High | 2024-01-31 | 2024-01-31 |
Voice Console XSS 2023-12-20 02 |
Voice Console v5.6.2, v5.6.3 | CVE-2023-6590 | Medium | 2023-12-20 | 2023-12-20 |
HVoice Console Blind SQL Injection 2023-12-20 01 |
Voice Console v5.6.2, v5.6.3 | NA | High | 2023-12-20 | 2023-12-20 |
PM23/43 Command Injection 2023-08-01 01 |
PM23/43 Printers | CVE-2023-3710 | Critical | 2023-09-12 | 2023-09-12 |
PM23/43 Session ID Vulnerability 2023-08-02 01 |
PM23/43 Printers | CVE-2023-3711 | High | 2023-09-12 | 2023-09-12 |
PM23/43 Privilege Escalation Vulnerability 2023-08-03 01 |
PM23/43 Printers | CVE-2023-3712 | High | 2023-09-12 | 2023-09-12 |
Command Injection HDZP252DI 2022-01-26 01 |
Camera Model HDZP252DI | CVE-2021-39363 | Medium | 2022-01-26 | 2022-01-26 |
Video Replay Vulnerability HBW2PER1 2022-01-26 02 |
Camera Model HBW2PER1 | CVE-2021-39364 | Medium | 2022-01-26 | 2022-01-26 |
HBT Apache Log4j Vulnerability 2021-HBT-12-14 01 V2 |
Apache Log4j Libraries | CVE-2021-44228 CVE-2021-45046 |
Critical | 2021-12-16 | 2021-12-16 |
SPS Apache Log4j Vulnerability 2021-SPS-12-14 01 V2 |
Apache Log4j Libraries | CVE-2021-44228 CVE-2021-45046 CVE-2021-45105 |
Critical | 2021-12-16 | 2021-12-22 |
Honeywell Security UK LTD Battery Compliance 2021-09-20 01 |
Honeywell Security UK Ltd Battery Products | NA | NA | 2021-09-20 | 2021-09-20 |
Wi-Fi Vulnerabilities (Frag Attacks) | Wi-Fi Devices | NA | Varies | 2020-08-15 | 2020-08-15 |
Mobility Products RCE and DOS Vulnerabilities 2020-08-14 01 |
Thor VM1A, Thor VM3A, CK65, CN80, CN80G, CN85, CT40, CT60, EDA60K, EDA51, EDA71, EDA61K | CVE-2020-11201 CVE-2020-11202 CVE-2020-11206 CVE-2020-11207 CVE-2020-11208 CVE-2020-11209 |
High | 2020-08-14 | 2020-08-14 |
Ripple20 Vulnerability 2020-07-17 01 |
RL 3/4, RL 3e/4e, RP 2/4, E-Class, I-Class, MP Compact MkIII, A-Class, H-Class, M-Class, PB 21/22/31/32, PB 50/51, PR2/3, PD42, PM4i, PX4i, PX6i | ICSA-20-168-01 | High | 2020-07-17 | 2020-07-17 |
Ripple20 NO IMPACT Notification 2020-07-02 01 |
Honeywell Commercial Security Video Products | NA | NA | 2020-07-02 | 2020-07-02 |
Kr00k NO IMPACT Notification 2020-03-03 01 |
Honeywell Productivity Products | CVE-2019-15126 | NA | 2020-03-03 | 2020-03-03 |
Unauthenticated RCE via unsafe binary deserialization and Unauthenticated Remote arbitrary SQL command injection 2019-10-25 01 |
MAXPRO VMS HNMSWVMS, MAXPRO VMS HNMSWVMSLT, MAXPRO NVR XE, MAXPRO NVR SE, MAXPRO NVR PE, MAXPRO NVR MPNVRSWXX | CVE-2020-6959 CVE-2020-6960 ICSA-20-021-01 |
High | 2019-10-25 | 2019-10-25 |
IP Camera DoS Vulnerability 2019-09-13 01 |
equIP® Series Cameras: H4L2GR1, HBL2GR1, HCL2G, H4W2GR1, H4W2GR2, H4W4GR1, H3W2GR1, H3W2GR2, H3W4GR1, HBW2GR1, HBW4GR1, HBW2GR3, HCW2G, HCW4G | CVE-2019-18228 ICSA-19-304-02 |
High | 2019-09-13 | 2019-09-13 |
IP Camera and Recorder Replay Attack Vulnerability 2019-09-13 02 |
equIP® Series Cameras, Performance Series Cameras, Recorders | CVE-2019-18226 ICSA-19-304-04 |
High | 2019-09-13 | 2019-09-13 |
IP Camera Unauthenticated Access to Audio Vulnerability 2019-09-04 01 |
equIP® Series Cameras, Performance Series Cameras | CVE-2019-18230 ICSA-19-304-03 |
High | 2019-09-04 | 2019-09-04 |
IP Camera/NVR Configuration Data Information Disclosure Potential Vulnerability 2019-04-30 01 |
Performance IP Series Cameras, Performance Series NVRs | CVE-2019-13523 ICSA-19-260-03 |
Medium | 2019-04-30 | 2019-04-30 |
Android OS Privilege Elevation Vulnerability 2018-09-18 01 |
CT60, CN80, CT40, CK75, CN75, CN75e, CT50, D75e, CN51, EDA50k, EDA50, EDA70, EDA60k, EDA51 | CVE-2018-14825 ICSA-18-256-01 |
High | 2018-09-13 | 2018-09-13 |
Processor Vulnerabilities (Spectre and Meltdown) 2018-04-19 01 |
CN75, CN75e, CK75, CV41, CV31, CV61, D99 SERIES, CK3R, CK3X, CN70, CN70e, CK70, CK71, Tecton, AND Various Dolphin, Thor, and Talkman Products | CVE-2017-5754 CVE-2017-5753 CVE-2017-5715 |
Critical | 2018-04-19 | 2018-04-19 |
Wi-Fi Vulnerability KRACK 2017-12-04 01 |
70+ Honeywell Productivity Products (WPA2 vulnerability) | 10 CVEs | High | 2017-12-04 | 2017-12-04 |
BlueBorne Vulnerability 2017-11-13 01 |
Honeywell Productivity Products with Bluetooth Capability | 8 CVEs | High | 2017-11-13 | 2017-11-13 |
Experion Controller and SMSC S300 Modification Vulnerabilities ICSA-24-116-04 | Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, Safety Manager SC | 16 CVEs | Critical | 2024-04-05 | 2024-04-05 |
Honeywell Softmaster Uncontrolled Search Path Vulnerability ICSA-22-256-02 | Softmaster Products | CVE-2022-2333 CVE-2022-2332 |
High | 2022-09-13 | 2022-09-13 |
ControlEdge Hard-coded Credentials ICSA-22-242-06 | ControlEdge Products | CVE-2022-30318 | Critical | 2022-08-30 | 2022-08-30 |
Experion LX Missing Auth for Critical Function ICSA-22-242-07 | Experion LX Products | CVE-2022-30317 | Critical | 2022-08-30 | 2022-08-30 |
IQ Series Cleartext Transmission Vulnerability ICSA-22-242-08 | IQ Series Controllers | CVE-2022-30312 | High | 2022-08-30 | 2022-08-30 |
Saia Burgess PG5 Auth Bypass and Use of Broken Cryptographic Algorithm ICSA-22-207-03 | Saia Burgess PG5 PCD Products | CVE-2022-30319 CVE-2022-30320 |
High | 2022-07-28 | 2022-07-28 |
Safety Manager Missing Auth, Use of Hard-coded credentials, and Insufficient Verification of Data Authenticity ICSA-22-207-02 | Honeywell Safety Manager Products | CVE-2022-30315 CVE-2022-30313 CVE-2022-30316 CVE-2022-30314 |
High | 2022-07-26 | 2022-07-26 |
Experion PKS Path Traversal, Unrestricted Upload, and Improper Neutralization of Special Elements in Output Vulnerabilities ICSA-21-278-04 | Experion PKS C200, C200E, C300, ACE Controllers | CVE-2021-38397 CVE-2021-38395 CVE-2021-38399 |
Critical | 2021-10-05 | 2021-10-05 |
OPC UA Heap-Based Buffer Overflow, Out-of-Bounds Read, Improper check, and Uncontrolled Resource Consumption Vulnerabilities ICSA-21-021-03 | OPC UA Tunneller versions prior to 6.3.0.8233 | CVE-2020-27297 CVE-2020-27299 CVE-2020-27274 CVE-2020-27295 |
Critical | 2021-01-21 | 2021-01-21 |
ControlEdge Cleartext Transmission Vulnerabilites ICSA-20-175-02 | ControlEdge PLC R130.2, R140, R150, R151. ControlEdge RTU R101, R110, R140, R150, R151 | CVE-2020-10628 CVE-2020-10624 |
Medium | 2020-06-23 | 2020-06-23 |
WIN-PAK CSRF, Improper Neutralization of HTTP Headers, and Use of Obsolete Function Vulnerabilities ICSA-20-056-05 | WIN-PAK 4.7.2 Web and Prior Versions | CVE-2020-7005 CVE-2020-6982 CVE-2020-6978 |
High | 2020-02-25 | 2020-02-25 |
NWS Authentication Bypass and Path Traversal Vulnerabilities ICSA-20-051-03 | Notifier Web Server (NWS) Version 5.50 and prior | CVE-2020-6972 CVE-2020-6974 |
Critical | 2020-02-20 | 2020-02-20 |
INNControl 3 Improper Privilege Management Vulnerability ICSA-20-049-01 | INNCOM INNControl 3 Version 3.21 and prior | CVE-2020-6968 | Medium | 2020-02-19 | 2020-02-19 |
Experion PKS Heap-Based Buffer Overflow, Stack-Based Buffer Overflow, Arbitrary Memory Write, Directory Traversal, and File Inclusion Vulnerabilities ICSA-14-352-01 | Experion PKS R40x prior to R400.6, Experion PKS R41x prior to R410.6, Experion PKS R43x prior to R430.2 | CVE-2014-9187 CVE-2014-9189 CVE-2014-5435 CVE-2014-5436 CVE-2014-9186 |
Critical | 2019-04-10 | 2019-04-10 |
FALCON XSS and File Access to External Parties Vulnerabilities ICSA-14-175-01 | FALCON Linux 2.04.01 and prior, FALCON XLWebExe 2.02.11 and prior | CVE-2014-2717 CVE-2014-3110 |
Medium | 2014-06-24 | 2018-09-06 |
EBI, SymmetrE, and ComfortPoint Improper Input Validation Vulnerability ICSA-13-053-02A | EBI R310, R400.2, R410.1, R410.2. SymmetrE R310, R410.1, R410.2, CPO-M R100 | CVE-2013-0108 | Medium | 2013-02-22 | 2018-09-06 |
HMIWeb Browser Buffer Overflow Vulnerability ICSA-12-150-01 | Multiple Experion, Enterprise Building Manager, Honeywell Environmental Combustion and Controls Products, and Symmetre R400, R410.1 | CVE-2012-0254 | Medium | 2012-03-09 | 2018-09-06 |
HART DMT Improper Input Validation Vulnerability ICSA-15-029-01 | Multiple HART DMT Libraries | CVE-2014-9191 | Low | 2018-08-29 | 2018-08-29 |
Midas Path Traversal and Cleartext Transmission Vulnerabilities ICSA-15-309-02 | Midas Version 1.13b1 and prior, Midas Black 2.13ba and prior | CVE-2015-7907 CVE-2015-7908 |
Critical | 2018-08-27 | 2018-08-27 |
Experion PKS Directory Traversal Vulnerability ICSA-15-272-01 | Experion PKS 310.x and prior | CVE-2007-6483 | Critical | 2018-08-27 | 2018-08-27 |
XL Web Controller Path Traversal Vulnerability ICSA-15-076-02 | Multiple XLWeb Controller Versions | CVE-2015-0984 | Critical | 2018-08-27 | 2018-08-27 |
Uniformance Stack-based Buffer Overflow Vulnerability ICSA-16-070-02A | Uniformance PHD versions prior to R310.1.1.2, R320.1.0.2, and R321.1.1 | CVE-2016-2280 | High | 2016-04-12 | 2018-08-23 |
XL Web II Controller Password Exposure Vulnerabilities ICSA-17-033-01 | XL1000C500 XLWebExe-2-01-00 and prior, XLWeb 500 XLWebExe-1-02-08 and prior | CVE-2017-5139 CVE-2017-5140 CVE-2017-5141 CVE-2017-5142 CVE-2017-5143 |
Critical | 2017-02-02 | 2017-02-02 |
Experion PKS Improper Inout Validation Vulnerability ICSA-16-301-01 | Multiple Experion PKS Products | CVE-2016-8344 | Low | 2016-10-27 | 2016-10-27 |
ScanServer ActiveX Control Vulnerability ICSA-11-103-01A | ScanServer ActiveX Control Version 780.0.20.5 that is packaged with all SymmetrE Versions | NA | NA | 2011-04-13 | 2014-03-13 |
TEMA Remote Installer ActiveX Vulnerability ICSA-11-285-01 | EBI R310.1 - TEMA 4.8, 4.9, 4.10. EBI R400.2 SP1 - TEMA 5.2. EBI R410.1 - TEMA 5.3.0. EBI R410.2 - TEMA 5.3.1 | NA | NA | 2013-04-30 | 2013-04-30 |
MAXPRO NVR Computer: Intel® Chipset Uncontrolled Search Path Element Vulnerability 2024-06-25 01 |
MAXPRO SE NVR Rev D, XE NVR Rev D with Intel® Chipset Device Software before version 10.1.19444.8378 | CVE-2023-28388 | Medium | 2024-06-25 | 2024-06-25 |
HID Mercury Intelligent Controller Command Injection, Unauthenticated Firmware, Buffer Overflow, Path Traversal Vulnerabilities 2022-06-02 01 |
LenelS2 Products integrated with HID Mercury Intelligent Controllers: LNL-X2210, LNL-2220, LNL-X3300, LNL-X4420, LNL-4420, S2-LP-1501, S2-LP-1502, S2-LP-2500, S2-LP-4502 | CVE-2022-31479 CVE-2022-31480 CVE-2022-31481 CVE-2022-31482 CVE-2022-31483 CVE-2022-31484 CVE-2022-31485 CVE-2022-31486 |
Critical | 2022-06-02 | 2022-06-02 |
LenelS2 OnGuard Client Authentication Bypass Vulnerability 2022-11-30 01 |
OnGuard Versions 7.5, 7.6, 8.0, 8.1 | CVE-2022-37026 | Critical | 2022-11-30 | 2022-11-30 |
LenelS2 NetBox MOD_PROXY SSRF Vulnerability 2023-03-16 01 |
NetBox, NetBox Global, VRx, NetVR, Converged NetBox/VR, NetBox VRx, Quatro Products | CVE-2021-40438 | Critical | 2023-03-16 | 2023-03-16 |
MASmobile Classic Authorization Bypass Vulnerability 2023-06-15 01 |
MASmobile Classic | CVE-2023-36483 | Medium | 2023-06-15 | 2023-06-15 |
LenelS2 NetBox Hardcoded Credentials and Unauthenticated/authenticated RCE Vulnerabilities 2024-05-24 01 |
NetBox Products | CVE-2024-2420 CVE-2024-2421 CVE-2024-2422 |
Critical | 2024-05-24 | 2024-05-24 |
LenelS2 NetBox Supply Chain Attack 2024-08-05 01 |
NetBox, VRx, NetVR Products | NA | NA | 2024-08-05 | 2024-08-05 |
Honeywell Experion PKS, LX, and PlantCruise Heap and Stack-based Overflow, Unexpected Code Status, Uncontrolled Resource, Improper Encoding, Incorrect Comparison, and other data vulnerabilities ICSA-23-194-06 |
Experion PKS, LX, and PlantCruise versions prior to R520.2 | 9 CVEs | Critical | 2023-07-13 | 2023-07-13 |
Honeywell OneWireless Command Injection, Insufficient Random Values, and Missing Auth Vulnerabilities ICSA-23-075-06 |
OneWireless Versions up to R322.1 | CVE-2022-43485 CVE-2022-46361 CVE-2022-4240 |
Critical | 2023-03-16 | 2023-03-16 |
Honeywell IP-AK2 Missing Auth. Vulnerability ICSA-19-297-02 |
IP-AK2 Access Control Panel Version 1.04.07 and prior | CVE-2019-13525 | Medium | 2019-10-24 | 2019-10-24 |