Home / Threat Intelligence bulletins / Remote Code Execution Vulnerability in Honeywell ICS systems


Researchers have reported a series of vulnerabilities in Honeywell Experion Process Knowledge System (PKS).

The vulnerabilities could allow an attacker to modify a Control Component Library (CCL) and load it to a controller, which would then execute malicious code.

The most serious of these vulnerabilities (CVE-2021-38397) has been assigned a CVSS score of 10/10.


An unauthenticated remote attacker could take control of the ICS system, modifying process values or disrupting critical processes.

Vulnerability Detection

This affects all versions of Experion PKS.

Affected Products

Experion Process Knowledge System (PKS) C200, C200E, C300 and ACE Controllers.

Containment, Mitigations & Remediations

A patch for both server software and controller firmware has been released. Both are needed to mitigate the issue.

CISA advise that companies should minimise network exposure for these systems, using a VPN where remote access is required and restricting access from the business network.

Further advice for securing industrial control systems is available on their website.

Indicators of Compromise

No active exploitation at this time.

Threat Landscape

While there are currently no known instances of these vulnerabilities being actively exploited, devices using these types of controller are often associated with critical national infrastructure and heavy industry and petrochemical processing making them high value and targets for nation-state threat actors. However, the ease by which these devices can be detected on the internet, coupled with the triviality involved in exploiting the vulnerability puts this within the capabilities of low-level threat actors such as “script kiddies”.

Increases in the targeting of OT/IoT devices have been recorded globally, mainly as a result of their increasing prevalence, lack of security, and commonality of components. Industrial operational controllers, such as those detailed within this bulletin have been targeted before and the resulting impacts documented.

The most notable of these are:

  • Stuxnet malware resulted in the destruction of Iranian Nuclear Enrichment Centrifuges (2010)
  • A blast furnace in a German Steel mill suffering massive damage (2014)
  • A petrochemical plant in the Kingdom of Saudi Arabia had its safety systems interfered with (2017).

Mitre Methodologies

T1190 – Exploit Public-Facing Application

Further Information

Target Dcs: Finding, Fixing Critical Bugs In Honeywell Experion Pks

Security Notification SN 2021-02-22 01

CISA ICS Advisory (ICSA-21-278-04)