CVE-2013-0108

Honeywell EBI R310/R400.2/R410.1/R410.2 & SymmetrE R310/R410.1/R410.2 RCE via HscRemoteDeploy.dll

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2013-0108. PoCs published by Metasploit, juan vazquez, including Metasploit module exploits/windows/browser/honeywell_hscremotedeploy_exec.

AI-analyzed exploit summary This Metasploit module exploits a vulnerability in Honeywell HSC Remote Deployer ActiveX by abusing the LaunchInstaller() function to execute an arbitrary HTA from a remote location, leading to remote code execution.

Description

An ActiveX control in HscRemoteDeploy.dll in Honeywell Enterprise Buildings Integrator (EBI) R310, R400.2, R410.1, and R410.2; SymmetrE R310, R410.1, and R410.2; ComfortPoint Open Manager (aka CPO-M) Station R100; and HMIWeb Browser client packages allows remote attackers to execute arbitrary code via a crafted HTML document.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/24745

View Code ZIP pw:eip

This Metasploit module exploits a vulnerability in Honeywell HSC Remote Deployer ActiveX by abusing the LaunchInstaller() function to execute an arbitrary HTA from a remote location, leading to remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Honeywell HSC Remote Deployer ActiveX (tested with HoneyWell EBI R410.1)

No auth needed

Prerequisites: Target must have the vulnerable ActiveX control installed · Target must visit a malicious webpage hosting the exploit

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by juan vazquez · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/honeywell_hscremotedeploy_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits a vulnerability in the Honeywell HSC Remote Deployer ActiveX control by abusing the LaunchInstaller() function to execute an arbitrary HTA from a remote location, leading to remote code execution. The exploit generates an HTA file that drops and executes a payload via VBScript and ADODB.Stream.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Honeywell HSC Remote Deployer ActiveX (tested with Honeywell EBI R410.1)

No auth needed

Prerequisites: Victim must visit a malicious webpage using Internet Explorer with the vulnerable ActiveX control installed

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Core References

US Government Resource x_refsource_misc

http://ics-cert.us-cert.gov/pdf/ICSA-13-053-02.pdf

Scores

EPSS 0.2664

EPSS Percentile 97.8%

Details

CWE

CWE-94

Status published

Products (8)

honeywell/comfortpoint_open_manager_station r100

honeywell/enterprise_buildings_integrator r310

honeywell/enterprise_buildings_integrator r400.2

honeywell/enterprise_buildings_integrator r410.1

honeywell/enterprise_buildings_integrator r410.2

honeywell/symmetre r310

honeywell/symmetre r400.2

honeywell/symmetre r410.1

Published Feb 24, 2013

Tracked Since Feb 18, 2026