{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2021-38395","assignerOrgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","assignerShortName":"icscert","datePublished":"2022-10-28T01:20:24.175Z","dateUpdated":"2025-04-16T16:07:52.218Z","dateReserved":"2021-08-10T00:00:00.000Z"},"containers":{"cna":{"title":"Honeywell Experion PKS and ACE Controllers Injection","datePublic":"2021-10-05T00:00:00.000Z","providerMetadata":{"orgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","shortName":"icscert","dateUpdated":"2022-10-28T00:00:00.000Z"},"descriptions":[{"lang":"en","value":"Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to improper neutralization of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition."}],"affected":[{"vendor":"Honeywell","product":"Experion PKS","versions":[{"version":"C200","status":"affected"},{"version":"C200E","status":"affected"},{"version":"C300","status":"affected"},{"version":"ACE controllers","status":"affected"}]}],"references":[{"url":"https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04"},{"url":"https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf"}],"credits":[{"lang":"en","value":"Rei Henigman and Nadav Erez of Claroty reported these vulnerabilities to CISA."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.1,"baseSeverity":"CRITICAL"}}],"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-74: Injection","cweId":"CWE-74"}]}],"x_generator":{"engine":"Vulnogram 0.0.9"},"source":{"discovery":"EXTERNAL"},"workarounds":[{"lang":"en","value":"Honeywell recommends users follow all guidance in the Experion Network and Security Planning Guide to prevent attacks by malicious actors.\n\nAdditional information can be found in Honeywell Support document SN2021-02-22-01."}]},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T01:37:16.588Z"},"title":"CVE Program Container","references":[{"url":"https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04","tags":["x_transferred"]},{"url":"https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-04-16T15:53:47.454539Z","id":"CVE-2021-38395","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-04-16T16:07:52.218Z"}}]}}