Honeywell
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Honeywell product.
RSS Feeds for Honeywell security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Honeywell products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Honeywell Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 3 vulnerabilities in Honeywell with an average score of 8.5 out of ten. Last year, in 2025 Honeywell had 1 security vulnerability published. That is, 2 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.67.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 3 | 8.47 |
| 2025 | 1 | 6.80 |
| 2024 | 10 | 6.85 |
| 2023 | 10 | 7.80 |
| 2022 | 6 | 7.22 |
| 2021 | 0 | 0.00 |
| 2020 | 6 | 0.00 |
| 2019 | 1 | 0.00 |
| 2018 | 2 | 6.10 |
It may take a day or so for new Honeywell vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Honeywell Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-1670 | Feb 17, 2026 |
UnAuth API Exposure Enables Remote Email Reset ModificationThe affected products are vulnerable to an unauthenticated API endpoint exposure, which may allow an attacker to remotely change the "forgot password" recovery email address. |
|
| CVE-2021-47868 | Jan 21, 2026 |
Unquoted Service Path in WIN-PACK PRO 4.8 WPCommandFileService Executes as SystemWIN-PACK PRO 4.8 contains an unquoted service path vulnerability in the WPCommandFileService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files <x86>\WINPAKPRO\WPCommandFileService Service.exe to inject malicious code that would execute with LocalSystem permissions. |
Win Pak
|
| CVE-2021-47866 | Jan 21, 2026 |
WIN-PACK PRO 4.8 GuardTourService Unquoted Path CVE-2021-47866WIN-PACK PRO 4.8 contains an unquoted service path vulnerability in the GuardTourService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in C:\Program Files <x86>\WINPAKPRO\WP GuardTour Service.exe to inject malicious code that would execute during service startup. |
Win Pak
|
| CVE-2025-12351 | Oct 27, 2025 |
Honeywell S35 Cameras Auth Key Bypass Admin Priv Esc (pre-2025.08.x)Honeywell S35 Series Cameras contains an authorization bypass Vulnerability through User controller key. An attacker could potentially exploit this vulnerability, leading to Privilege Escalation to admin privileged functionalities . Honeywell also recommends updating to the most recent version of this product, service or offering (S35 Pinhole/Kit Camera to version 2025.08.28, S35 AI Fisheye & Dual Sensor/Micro Dome/Full Color Eyeball & Bullet Camera to version 2025.08.22, S35 Thermal Camera to version 2025.08.26). |
S35
|
| CVE-2024-46453 | Sep 27, 2024 |
XSS in iq3xcite /test/ (v2.31-v3.05) via crafted payloadA cross-site scripting (XSS) vulnerability in the component /test/ of iq3xcite v2.31 to v3.05 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
Iq3xcite Firmware
|
| CVE-2023-51599 | May 03, 2024 |
Honeywell Saia PG5 Controls Suite RCE via ZIP Directory TraversalHoneywell Saia PG5 Controls Suite Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Honeywell Saia PG5 Controls Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ZIP files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. . Was ZDI-CAN-18412. |
Saia Pg5 Controls Suite
|
| CVE-2023-51600 | May 03, 2024 |
XXE in Honeywell Saia PG5 Controls Suite XML Parsing Enables Info DisclosureHoneywell Saia PG5 Controls Suite XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Honeywell Saia PG5 Controls Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XML files. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. . Was ZDI-CAN-18456. |
Saia Pg5 Controls Suite
|
| CVE-2023-51601 | May 03, 2024 |
Honeywell Saia PG5 Controls Suite XXE Information DisclosureHoneywell Saia PG5 Controls Suite XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Honeywell Saia PG5 Controls Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of xml files. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. . Was ZDI-CAN-18563. |
Saia Pg5 Controls Suite
|
| CVE-2023-51602 | May 03, 2024 |
Honeywell Saia PG5 Controls Suite XXE XML External Entity DisclosureHoneywell Saia PG5 Controls Suite XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Honeywell Saia PG5 Controls Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XML files. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. . Was ZDI-CAN-18591. |
Saia Pg5 Controls Suite
|
| CVE-2023-51603 | May 03, 2024 |
Honeywell Saia PG5 Controls Suite CAB Parsing Directory Traversal RCEHoneywell Saia PG5 Controls Suite CAB File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Honeywell Saia PG5 Controls Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CAB files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. . Was ZDI-CAN-18592. |
Saia Pg5 Controls Suite
|
| CVE-2023-51604 | May 03, 2024 |
Honeywell PG5 Controls Suite XXE XML Element Info DisclosureHoneywell Saia PG5 Controls Suite XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Honeywell Saia PG5 Controls Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XML files. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. . Was ZDI-CAN-18593. |
Saia Pg5 Controls Suite
|
| CVE-2023-51605 | May 03, 2024 |
Honeywell Saia PG5 Controls Suite XXE XML External Entity DisclosureHoneywell Saia PG5 Controls Suite XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Honeywell Saia PG5 Controls Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XML files. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process. . Was ZDI-CAN-18644. |
Saia Pg5 Controls Suite
|
| CVE-2023-1841 | Feb 29, 2024 |
Honeywell MPA2 Access Panel XSS pre R1.00.08.05Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Honeywell MPA2 Access Panel (Web server modules) allows XSS Using Invalid Characters.This issue affects MPA2 Access Panel all version prior to R1.00.08.05. Honeywell released firmware update package MPA2 firmware R1.00.08.05 which addresses this vulnerability. This version and all later versions correct the reported vulnerability. |
Mpa2 Firmware
|
| CVE-2024-1309 | Feb 13, 2024 |
Uncontrolled Resource Cons. in Honeywell Niagara FW pre-3.8.1/4.1 on Win/Lin/QNXUncontrolled Resource Consumption vulnerability in Honeywell Niagara Framework on Windows, Linux, QNX allows Content Spoofing.This issue affects Niagara Framework: before Niagara AX 3.8.1, before Niagara 4.1. |
Niagara Framework
|
| CVE-2023-6179 | Nov 17, 2023 |
Honeywell ProWatch 4.5 App Server exec folder arbitrary code execHoneywell ProWatch, 4.5, including all Service Pack versions, contain a Vulnerability in Application Server's executable folder(s). A(n) attacker could potentially exploit this vulnerability, leading to a standard user to have arbitrary system code execution. Honeywell recommends updating to the most recent version of this product, service or offering (Pro-watch 6.0.2, 6.0, 5.5.2,5.0.5). |
Prowatch
|
| CVE-2023-3712 | Sep 12, 2023 |
Honeywell PM43 Files/Dir Access Priv Esc via Printer Web Page ( P10.19.050004)Files or Directories Accessible to External Parties vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Privilege Escalation.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006). |
|
| CVE-2023-3711 | Sep 12, 2023 |
Honeywell PM43 Session Fixation via CC Pre-P10.19.050004Session Fixation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Session Credential Falsification through Prediction.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006). |
|
| CVE-2023-3710 | Sep 12, 2023 |
Command Injection in Honeywell PM43 web modules before vP10.19.050004Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injection.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006). |
Pm23 43
Pc23 43
Pd43
And others... |
| CVE-2023-25948 | Jul 13, 2023 |
Honeywell Security Config Leak via Error Response - CVE-2023-25948Server information leak of configuration data when an error is generated in response to a specially crafted message. See Honeywell Security Notification for recommendations on upgrading and versioning. |
Experion Server
Experion Station
Engineering Station
And others... |
| CVE-2023-22435 | Jul 13, 2023 |
Experion SCADA Server Stack Overflow DoSExperion server may experience a DoS due to a stack overflow when handling a specially crafted message. |
Experion Server
Experion Station
Engineering Station
And others... |
| CVE-2023-23585 | Jul 13, 2023 |
Honeywell Experion server DoS via heap overflowExperion server DoS due to heap overflow occurring during the handling of a specially crafted message for a specific configuration operation. See Honeywell Security Notification for recommendations on upgrading and versioning. |
Experion Server
Experion Station
Engineering Station
And others... |
| CVE-2023-24474 | Jul 13, 2023 |
CVE-2023-24474: Experion Server Heap Overflow DoSExperion server may experience a DoS due to a heap overflow which could occur when handling a specially crafted message |
Experion Server
Experion Station
Engineering Station
And others... |
| CVE-2023-25078 | Jul 13, 2023 |
Honeywell Security Console DoS via Heap OverflowServer or Console Station DoS due to heap overflow occurring during the handling of a specially crafted message for a specific configuration operation. See Honeywell Security Notification for recommendations on upgrading and versioning. |
Experion Server
Experion Station
Engineering Station
And others... |
| CVE-2023-3243 | Jun 28, 2023 |
BCM-WEB 3.3.x Hash Capture & BruteForce via MD5 (EOL)** UNSUPPORTED WHEN ASSIGNED ** [An attacker can capture an authenticating hash and utilize it to create new sessions. The hash is also a poorly salted MD5 hash, which could result in a successful brute force password attack. Impacted product is BCM-WEB version 3.3.X. Recommended fix: Upgrade to a supported product such as Alerton ACM.] Out of an abundance of caution, this CVE ID is being assigned to better serve our customers and ensure all who are still running this product understand that the product is end of life and should be removed or upgraded. |
Alerton Bcm Web Firmware
|
| CVE-2022-2332 | Sep 16, 2022 |
Honeywell SoftMaster 4.51 Privilege Escalation via Insecure PermissionsA local unprivileged attacker may escalate to administrator privileges in Honeywell SoftMaster version 4.51, due to insecure permission assignment. |
Softmaster
|
| CVE-2022-2333 | Sep 16, 2022 |
Honeywell SoftMaster 4.51 DLL Execution via Malicious DLL LoadingIf an attacker manages to trick a valid user into loading a malicious DLL, the attacker may be able to achieve code execution in Honeywell SoftMaster version 4.51 applications context and permissions. |
Softmaster
|
| CVE-2022-30319 | Jul 28, 2022 |
SBC PCD Authentication Bypass via UDP SBus SpoofingSaia Burgess Controls (SBC) PCD through 2022-05-06 allows Authentication bypass. According to FSCT-2022-0062, there is a Saia Burgess Controls (SBC) PCD S-Bus authentication bypass issue. The affected components are characterized as: S-Bus (5050/UDP) authentication. The potential impact is: Authentication bypass. The Saia Burgess Controls (SBC) PCD controllers utilize the S-Bus protocol (5050/UDP) for a variety of engineering purposes. It is possible to configure a password in order to restrict access to sensitive engineering functionality. Authentication functions on the basis of a MAC/IP whitelist with inactivity timeout to which an authenticated client's MAC/IP is stored. UDP traffic can be spoofed to bypass the whitelist-based access control. Since UDP is stateless, an attacker capable of passively observing traffic can spoof arbitrary messages using the MAC/IP of an authenticated client. This allows the attacker access to sensitive engineering functionality such as uploading/downloading control logic and manipulating controller configuration. |
Saia Pg5 Controls Suite
|
| CVE-2022-30320 | Jul 28, 2022 |
SBC PCD Weak CRC-16 Hash Auth Bypass on S-BusSaia Burgess Controls (SBC) PCD through 2022-05-06 uses a Broken or Risky Cryptographic Algorithm. According to FSCT-2022-0063, there is a Saia Burgess Controls (SBC) PCD S-Bus weak credential hashing scheme issue. The affected components are characterized as: S-Bus (5050/UDP) authentication. The potential impact is: Authentication bypass. The Saia Burgess Controls (SBC) PCD controllers utilize the S-Bus protocol (5050/UDP) for a variety of engineering purposes. It is possible to configure a password in order to restrict access to sensitive engineering functionality. Authentication is done by using the S-Bus 'write byte' message to a specific address and supplying a hashed version of the password. The hashing algorithm used is based on CRC-16 and as such not cryptographically secure. An insecure hashing algorithm is used. An attacker capable of passively observing traffic can intercept the hashed credentials and trivially find collisions allowing for authentication without having to bruteforce a keyspace defined by the actual strength of the password. This allows the attacker access to sensitive engineering functionality such as uploading/downloading control logic and manipulating controller configuration. |
Saia Pg5 Controls Suite
|
| CVE-2022-30245 | Jul 15, 2022 |
Honeywell Alerton Compass Software 1.6.5 allows unauthenticated configuration changes from remote usersHoneywell Alerton Compass Software 1.6.5 allows unauthenticated configuration changes from remote users. This enables configuration data to be stored on the controller and then implemented. A user with malicious intent can send a crafted packet to change the controller configuration without the knowledge of other users, altering the controller's function capabilities. The changed configuration is not updated in the User Interface, which creates an inconsistency between the configuration display and the actual configuration on the controller. After the configuration change, remediation requires reverting to the correct configuration, requiring either physical or remote access depending on the configuration that was altered. |
Alerton Compass
|
| CVE-2022-1261 | May 26, 2022 |
Matrikon, a subsidary of Honeywell Matrikon OPC Server (all versions) is vulnerable to a condition where a low privileged userMatrikon, a subsidary of Honeywell Matrikon OPC Server (all versions) is vulnerable to a condition where a low privileged user allowed to connect to the OPC server to use the functions of the IPersisFile to execute operating system processes with system-level privileges. |
Matrikon Opc Server
|
| CVE-2020-6974 | Apr 07, 2020 |
Honeywell Notifier Web Server (NWS) Version 3.50 is vulnerable to a path traversal attack, whichHoneywell Notifier Web Server (NWS) Version 3.50 is vulnerable to a path traversal attack, which allows an attacker to bypass access to restricted directories. Honeywell has released a firmware update to address the problem. |
Notifier Webserver
|
| CVE-2020-6978 | Mar 24, 2020 |
In Honeywell WIN-PAK 4.7.2In Honeywell WIN-PAK 4.7.2, Web and prior versions, the affected product is vulnerable due to the usage of old jQuery libraries. |
Win Pak
|
| CVE-2020-6982 | Mar 24, 2020 |
In Honeywell WIN-PAK 4.7.2, Web and prior versions, the header injection vulnerability has been identified, which mayIn Honeywell WIN-PAK 4.7.2, Web and prior versions, the header injection vulnerability has been identified, which may allow remote code execution. |
Win Pak
|
| CVE-2020-7005 | Mar 24, 2020 |
In Honeywell WIN-PAK 4.7.2, Web and prior versions, the affected product is vulnerable to a cross-site request forgery, which mayIn Honeywell WIN-PAK 4.7.2, Web and prior versions, the affected product is vulnerable to a cross-site request forgery, which may allow an attacker to remotely execute arbitrary code. |
Win Pak
|
| CVE-2020-6972 | Mar 24, 2020 |
In Notifier Web Server (NWS) Version 3.50 and earlier, the Honeywell Fire Web Servers authentication may be bypassed by a capture-replay attackIn Notifier Web Server (NWS) Version 3.50 and earlier, the Honeywell Fire Web Servers authentication may be bypassed by a capture-replay attack from a web browser. |
Notifier Webserver
|
| CVE-2020-6968 | Feb 20, 2020 |
Honeywell INNCOM INNControl 3Honeywell INNCOM INNControl 3 allows workstation users to escalate application user privileges through the modification of local configuration files. |
|
| CVE-2019-13523 | Sep 26, 2019 |
In Honeywell Performance IP Cameras and Performance NVRs, the integrated web server of the affected devices couldIn Honeywell Performance IP Cameras and Performance NVRs, the integrated web server of the affected devices could allow remote attackers to obtain web configuration data in JSON format for IP cameras and NVRs (Network Video Recorders), which can be accessed without authentication over the network. Affected performance IP Cameras: HBD3PR2,H4D3PRV3,HED3PR3,H4D3PRV2,HBD3PR1,H4W8PR2,HBW8PR2,H2W2PC1M,H2W4PER3,H2W2PER3,HEW2PER3,HEW4PER3B,HBW2PER1,HEW4PER2,HEW4PER2B,HEW2PER2,H4W2PER2,HBW2PER2,H4W2PER3, and HPW2P1. Affected Performance Series NVRs: HEN08104,HEN08144,HEN081124,HEN16104,HEN16144,HEN16184,HEN16204,HEN162244,HEN16284,HEN16304,HEN16384,HEN32104,HEN321124,HEN32204,HEN32284,HEN322164,HEN32304, HEN32384,HEN323164,HEN64204,HEN64304,HEN643164,HEN643324,HEN643484,HEN04103,HEN04113,HEN04123,HEN08103,HEN08113,HEN08123,HEN08143,HEN16103,HEN16123,HEN16143,HEN16163,HEN04103L,HEN08103L,HEN16103L,HEN32103L. |
|
| CVE-2018-14825 | Sep 24, 2018 |
On Honeywell Mobile Computers (CT60 running Android OS 7.1, CN80 running Android OS 7.1, CT40 running Android OS 7.1, CK75 running Android OS 6.0, CN75 running Android OS 6.0, CN75e running Android OS 6.0, CT50 running Android OS 6.0, D75e running Android OS 6.0, CT50 running Android OS 4.4, D75e running Android OS 4.4, CN51 running Android OS 6.0, EDA50k running Android 4.4, EDA50 running Android OS 7.1, EDA50k running Android OS 7.1, EDA70 running Android OS 7.1, EDA60k running Android OS 7.1, and EDA51 running Android OS 8.1), a skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an applicationOn Honeywell Mobile Computers (CT60 running Android OS 7.1, CN80 running Android OS 7.1, CT40 running Android OS 7.1, CK75 running Android OS 6.0, CN75 running Android OS 6.0, CN75e running Android OS 6.0, CT50 running Android OS 6.0, D75e running Android OS 6.0, CT50 running Android OS 4.4, D75e running Android OS 4.4, CN51 running Android OS 6.0, EDA50k running Android 4.4, EDA50 running Android OS 7.1, EDA50k running Android OS 7.1, EDA70 running Android OS 7.1, EDA60k running Android OS 7.1, and EDA51 running Android OS 8.1), a skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges. This could enable the attacker to obtain access to keystrokes, passwords, personal identifiable information, photos, emails, or business-critical documents. |
|
| CVE-2018-8714 | May 17, 2018 |
Honeywell MatrikonOPC OPC Controller before 5.1.0.0Honeywell MatrikonOPC OPC Controller before 5.1.0.0 allows local users to transfer arbitrary files from a host computer and consequently obtain sensitive information via vectors related to MSXML libraries. |
Matrikonopc Explorer
|
| CVE-2012-0254 | Sep 08, 2012 |
Stack-based buffer overflow in the HMIWeb Browser HSCDSPRenderDLL ActiveX control in Honeywell Process Solutions (HPS) Experion R2xx, R30x, R31x, and R400.x; Honeywell Building Solutions (HBS) Enterprise Building Manager R400 and R410.1; and Honeywell Environmental Combustion and Controls (ECC) SymmetrE R410.1Stack-based buffer overflow in the HMIWeb Browser HSCDSPRenderDLL ActiveX control in Honeywell Process Solutions (HPS) Experion R2xx, R30x, R31x, and R400.x; Honeywell Building Solutions (HBS) Enterprise Building Manager R400 and R410.1; and Honeywell Environmental Combustion and Controls (ECC) SymmetrE R410.1 allows remote attackers to execute arbitrary code via unspecified vectors. |
Enterprise Building Manager
Experion
Symmetre
And others... |
| CVE-2007-2938 | May 31, 2007 |
Buffer overflow in the BaseRunner ActiveX control in the Ademco ATNBaseLoader100 Module (ATNBaseLoader100.dll) 5.4.0.6, when Internet Explorer 6 is usedBuffer overflow in the BaseRunner ActiveX control in the Ademco ATNBaseLoader100 Module (ATNBaseLoader100.dll) 5.4.0.6, when Internet Explorer 6 is used, allows remote attackers to execute arbitrary code via a long argument to the (1) Send485CMD method, and possibly the (2) SetLoginID, (3) AddSite, (4) SetScreen, and (5) SetVideoServer methods. |
Ademco Atnbaseloader100 Module
|