Description
Honeywell Alerton Visual Logic through 2022-05-04 allows unauthenticated programming writes from remote users. This enables code to be stored on the controller and then run without verification. A user with malicious intent can send a crafted packet to change and/or stop the program without the knowledge of other users, altering the controller's function. After the programming change, the program needs to be overwritten in order for the controller to restore its original operational function.
References (3)
Core 3
Core References
Not Applicable x_refsource_misc
https://blog.scadafence.com
Vendor Advisory x_refsource_misc
https://www.honeywell.com/us/en/product-security
Third Party Advisory x_refsource_misc
https://github.com/scadafence/Honeywell-Alerton-Vulnerabilities
Scores
CVSS v3
8.8
EPSS
0.0143
EPSS Percentile
69.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-829
Status
published
Products (1)
honeywell/alterton_visual_logic_firmware
< 2022-05-04
Published
Jul 15, 2022
Tracked Since
Feb 18, 2026