Tech News

Tech Business News

  • Home
  • Technology
  • Business
  • News
    • Technology News
    • Local Tech News
    • World Tech News
    • General News
    • News Stories
  • Media Releases
    • Tech Media Releases
    • General Media Releases
  • Advertisers
    • Advertiser Content
    • Promoted Content
    • Sponsored Whitepapers
    • Advertising Options
  • Cyber
  • Reports
  • People
  • Science
  • Articles
    • Opinion
    • Digital Marketing
    • Gaming
    • Guest Publishers
  • About
    • Tech Business News
    • News Contributions -Submit
    • Contact Us
Reading: Claroty Discloses Three Severe Vulnerabilities In Honeywell’s Experion PKS
Share
Font ResizerAa
Tech Business NewsTech Business News
  • Home
  • Technology News
  • Business News
  • News Stories
  • General News
  • World News
  • Media Releases
Search
  • News
    • Technology News
    • Business News
    • Local News
    • News Stories
    • General News
    • World News
    • Global News
  • Media Releases
    • Tech Media Releases
    • General Press
  • Categories
    • Crypto News
    • Cyber
    • Digital Marketing
    • Education
    • Gadgets
    • Technology
    • Guest Publishers
    • IT Security
    • People In Technology
    • Reports
    • Science
    • Software
    • Stock Market
  • Promoted Content
    • Advertisers
    • Promoted
    • Sponsored Whitepapers
  • Contact & About
    • Contact Information
    • About Tech Business News
    • News Contributions & Submissions
Follow US
© 2022 Tech Business News- Australian Technology News. All Rights Reserved.
Tech Business News > General Tech > Claroty Discloses Three Severe Vulnerabilities In Honeywell’s Experion PKS
General Tech

Claroty Discloses Three Severe Vulnerabilities In Honeywell’s Experion PKS

Claroty’s Team82 researchers have disclosed three vulnerabilities in Honeywell's Experion PKS that could allow attackers to execute malicious code or launch denial-of-service attacks. The flaws affect C200, C200E, C300 and ACE controllers and could disrupt critical operations.

Matthew Giannelis
Last updated: October 6, 2021 9:50 am
Matthew Giannelis
Share
SHARE

Claroty’s Team82 researchers have disclosed three vulnerabilities in Honeywell’s Experion Process Knowledge System (PKS) distributed control system (DCS).

Contents
BackgroundTechnical DetailsSummaryCVE Information

The vulnerabilities could allow an attacker to modify a Control Component Library (CCL) and load it to a controller, which would then execute malicious code. Denial-of-service attacks are also possible.

The vulnerabilities affect all versions of the C200, C200E, C300, and ACE controllers and simulators. An attacker could use the vulnerabilities to execute native code on the system, modify process values, or disrupt critical processes.

Honeywell has addressed these vulnerabilities and issued an advisory. Users are urged to update or patch affected systems as soon as possible.

ICS-CERT published an advisory today, and rated the vulnerabilities collectively, a 10.0, the highest criticality CVSS score.

Background

Distributed control systems (DCS) are complex systems designed to control large industrial processes, comprising multiple controllers, I/O devices, and human-machine interfaces (HMIs). These systems are usually used in large plants, where high availability and continuous operations are required.

Honeywell Experion Process Knowledge System (PKS) is a DCS that is widely adopted globally and across different industries. This vast automation platform integrates data from controllers across an environment, providing a centralised view of processes plant-wide.

The system primarily uses C200, C300 and ACE controllers, which may be programmed through Experion PKS Configuration Studio, Honeywell’s engineering workstation software.

The logic—developed as block diagrams—can then be downloaded from the engineering workstation to the different components in the DCS.

Distributed control systems are often regarded as a black box by cybersecurity researchers. Relatively few DCS vulnerabilities are disclosed because the equipment is difficult to obtain.

Like many other types of industrial equipment, it’s not readily available for purchase online, and it may be extremely expensive to purchase and configure.

This is frequently the case with industrial control systems and SCADA equipment, and it presents a significant barrier to entry for newly active ICS security researchers, who are much more likely to examine commodity gear from market-leading vendors.

Technical Details

Honeywell Experion PKS controllers and simulators communicate with the Experion PKS Configuration Studio engineering software for programming purposes over TCP ports 55553 and 55555.

These ports are used to communicate with the Experion PKS Configuration Studio software suite using a proprietary Honeywell engineering protocol.

One of the applications within this suite is the Honeywell Experion Control Builder (contbldr.exe), which is responsible for programming the logic running in the controller.

As with every SCADA/DCS controller, it is possible to change the current logic by performing a download code procedure. As part of this mechanism, the Honeywell Experion Control Builder software transfers compiled logic to the device and then executes it.

It is worth noting that the logic is compiled to the controller’s CPU machine code (e.g. x86 bytecode), which may present a security risk.

Usually, a sandbox or some other type of security control is in place that prevents native code execution. In this case, the Experion PKS lacks a sandbox, memory protection, or other restrictions on malicious code before it is executed.

Sandboxes, for example, are crucial cybersecurity controls, especially in the ICS domain; executables are executed in an isolated area, which restricts their capabilities, such as accessing system resources, to a bare minimum.

They are a critical tool to keep untested or untrusted code from affecting processes, and in limiting the spread of malware and exploits targeting known and unknown vulnerabilities.

However, even sandboxes aren’t always foolproof. Earlier this year, Team82 published research into Siemens SIMATIC PLCs that demonstrated vulnerabilities that made it possible to bypass memory protections in the sandbox, and run native code in protected areas of memory.

In the case of the Experion PKS, Team82 found that it is possible to mimic the download code procedure and use these requests to upload arbitrary DLL/ELF files (for simulators and controllers, respectively).

The device then loads the executables without performing checks or sanitisation, giving an attacker the ability to upload executables and run unauthorised native code remotely without authentication.

Generally, ports 55553 and 55555 are not exposed to the internet. An attacker would have to find another way to gain a foothold on the OT network in order to attack these vulnerabilities.

In such a scenario, the two vulnerabilities discovered by Team82 could be leveraged to execute native code without restrictions.

With such access to a DCS, an attacker could seriously disrupt operations by modifying process values or use the DCS as a base for launching further attacks on the network using malware or exploits.

Summary

All Experion PKS customers using the affected controllers in their environments, regardless of whether they use CCLs, are affected.

An attacker already on the network can impact processes by loading a modified CCL with malicious code to a controller that would execute the attacker’s code.

Honeywell should be recognised for its response to these critical vulnerabilities. To address the flaws Team82 privately disclosed, Honeywell has added cryptographic signing to CCLs to ensure they have not been tampered with.

Each CCL binary now has an associated cryptographic signature that is sent to the controller when the CCL is loaded; that signature is validated before the CCL is used, Honeywell said in its advisory.

Honeywell has made patches available for affected Experion PKS versions, including server software patches and fixes for the controller firmware. Both must be applied to fully mitigate these vulnerabilities.

Hotfixes have either been released or will be released for versions R510.2 (Hotfix10, released) and R501.6. Version R511.5 also addresses all of these vulnerabilities. No patches are available for other Experion releases, and those users are urged to migrate to the latest point release.


CVE Information

  • CVE-2021-38397
    CWE-434: Unrestricted Upload of File with Dangerous Type
    CVSS score: 10.0



    The affected products are vulnerable to unrestricted file uploads, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition.

  • CVE-2021-38395
    CWE-74: Improper Neutralisation of Special Elements in Output Used by a Downstream Component
    CVSS score: 9.1



    The affected products are vulnerable to improper neutralisation of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition.

  • CVE-2021-38399
    CWE-23: Relative Path Traversal
    CVSS score: 7.5

The affected products are vulnerable to relative path traversal, which may allow an attacker access to unauthorised files and directories.

Findings also underscore the high stakes of securing industrial environments, where a successful attack can extend beyond IT systems and impact physical operations.

With the vulnerabilities affecting widely deployed Experion PKS controllers, asset owners should assess their exposure and implement recommended mitigations as soon as possible.

ByMatthew Giannelis
Follow:
Secondary editor and executive officer at Tech Business News. An IT support engineer for 20 years he's also an advocate for cyber security and anti-spam laws.
Previous Article RMIT ONLINE RMIT Online reports significant demand for online master degrees
Next Article Mandaint changes to Fireeye Mandiant Confirms Name Change from FireEye, Inc. to Mandiant, Inc.
Leave a Comment

Leave a Reply Cancel reply

You must be logged in to post a comment.

Claroty Three Severe Vulnerabilities Honeywell's Experion PKS

Tech Articles

Why is APAC losing the war on digital fraud

Why APAC is Losing Ground In The Fight Against Digital Fraud

Why APAC is losing the war on digital fraud is…

May 6, 2026
The Growing Crisis of Space junk and Debris

Space Junk Is Becoming One of the Biggest Threats to Modern Spaceflight

More than 33,000 tracked objects now orbit Earth at speeds…

May 8, 2026
The Internet’s Best Blogs Didn’t Vanish — They Were Stripped for Parts by SEO Parasites

The Internet’s Best Blogs Didn’t Vanish — They Were Stripped for Parts by SEO Parasites

How some of the internet’s best independent blogs were quietly…

June 3, 2026

Recent News

The Internet Is Getting Smaller
General Tech

The Open Internet Is Getting Smaller As Users Move Into Smaller Online Communities

16 Min Read
BNPL Buy now pay it later
General Tech

Unlocking Opportunities: BNPL’s Influence On Home And Lifestyle Retailers

11 Min Read
Digital Scheduling and Prefabrication Tech
General Tech

How Digital Scheduling and Prefabrication Tech Is Changing Steel Reinforcement Supply in Australia

8 Min Read
Technology In The Music Industry.
General Tech

Learing About Technology In The Music Industry

10 Min Read
Tech News - Technology Business

Tech Business News

In 2026, technology news is shaping business outcomes faster than ever—driven by AI adoption, rising cyber risk, cloud modernisation, data regulation, and constant platform change.
 
Tech News keeps Australian organisations and industry professionals informed with timely reporting and practical coverage across AI, cybersecurity, cloud, enterprise IT, startups, science, people and business, plus major world and local news impacting the tech sector.
 
Tech Business News publishes news and analysis designed to be clear, relevant, and easy to act on. It supports the industry with technology news reports, whitepaper publishing services, and a range of media, advertising and publishing options 

About

About Us 
Contact Us 
Privacy Policy
Copyright Policy
Terms & Conditions

July, 19, 2026

Contact

Tech Business News
Melbourne, Australia
Werribee 3030
Phone: +61 431401041

Hours : Monday to Friday, 9am 530-pm.

Tech News

© Copyright Tech Business News 

Latest Australian Tech News – 2026

Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?