Rei Henigman

**Name of the Vulnerable Software and Affected Versions** Honeywell Experion PKS versions C200, C200E, C300, and ACE controllers **Description** The issue exists due to improper neutralization of special elements. This may allow a remote attacker to execute arbitrary code and cause a denial-of-service condition, potentially through cross-site scripting attacks. **Recommendations** For Honeywell Experion PKS C200, C200E, C300, and ACE controllers, update to a version that properly neutralizes special elements in output to prevent arbitrary code execution and denial-of-service conditions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Honeywell Experion PKS versions C200, C200E, C300, and ACE **Description** The issue is related to unrestricted file uploads, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition. This could potentially enable an attacker to disrupt the system's operation. **Recommendations** For Honeywell Experion PKS versions C200, C200E, C300, and ACE, consider restricting file uploads to prevent remote execution of arbitrary code until a patch is available. As a temporary workaround, restrict access to file upload functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Modicon M221 (all references, all versions) Modicon M100 (affected versions not specified) Modicon M200 (affected versions not specified) **Description** A vulnerability exists due to a small space of random values, which could allow an attacker to break encryption keys by capturing traffic between EcoStruxure Machine - Basic software and the Modicon controller. This can be exploited using a brute force attack, potentially allowing a remote attacker to bypass existing security restrictions. **Recommendations** For Modicon M221, consider restricting access to the controller until a patch is available. For Modicon M100 and Modicon M200, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Modicon M221 (all references, all versions) Modicon M100 (affected versions not specified) Modicon M200 (affected versions not specified) **Description** A Missing Encryption of Sensitive Data issue exists that could allow an attacker to find the password hash when they have captured the traffic between EcoStruxure Machine - Basic software and the Modicon controller and broke the encryption keys. This could be exploited by a remote attacker to obtain the encryption key. **Recommendations** For Modicon M221, consider implementing additional encryption measures to protect sensitive data until a patch is available. For Modicon M100 and Modicon M200, at the moment, there is no information about a newer version that contains a fix for this vulnerability.