CVE-2021-38395

CRITICAL

Honeywell Experion PKS C200, C200E, C300, and ACE - Remote Code Execution and Denial of Service

Title source: llm

Description

Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to improper neutralization of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition.

References (2)

Core 2

Core References

Mitigation, Third Party Advisory, US Government Resource

https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04

Product

https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf

Scores

CVSS v3 9.1

EPSS 0.0087

EPSS Percentile 54.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-74

Status published

Products (4)

honeywell/application_control_environment_firmware

honeywell/c200_firmware

honeywell/c200e_firmware

honeywell/c300_firmware

Published Oct 28, 2022

Tracked Since Feb 18, 2026