Tuesday, May 6, 2025
HomeCVE/vulnerabilityMultiple Vulnerabilities in Honeywell VirtualUOC Let Attackers Execute Remote Code

Multiple Vulnerabilities in Honeywell VirtualUOC Let Attackers Execute Remote Code

Published on

SIEM as a Service

Follow Us on Google News

Team82 has uncovered multiple critical vulnerabilities in Honeywell’s ControlEdge Virtual Unit Operations Center (UOC).

These vulnerabilities within the EpicMo protocol implementation could potentially allow attackers to execute remote code without authentication.

Honeywell has since addressed these issues, but the discovery underscores the ongoing challenges in securing industrial control systems (ICS).

- Advertisement - Google News

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

The EpicMo Protocol and Its Vulnerabilities

Honeywell’s proprietary communication protocol, EpicMo, is used to debug and diagnose Honeywell controllers.

It operates over TCP port 55565 and includes function codes such as ReadMemory, WriteMemory, Reboot, and ReadCrashBlock.

However, Team82’s research revealed that the protocol also contains undocumented functions that can be exploited to write files on Virtual UOC controllers without proper sanitation.

CVE-2023-5389: From File Write to Pre-Auth Remote Code Execution

One of the most critical vulnerabilities identified is CVE-2023-5389. This vulnerability stems from the LoadFileToModule function (Command 0x51) within the EpicMo protocol.

The function allows users to write files to the controller, specifying a Destination_Path without validation or limitation.

This lack of restriction means that attackers can write files to any writable location on the controller, potentially leading to remote code execution (RCE).

To exploit this vulnerability, an attacker would need to send a series of packets to the controller, starting with a command to initiate the file write, followed by data packets, and concluding with a final command to signal the end of the upload.

By overwriting a system-shared object file, such as /lib/libcap.so.2, with a malicious payload, the attacker can achieve code execution upon the controller’s reboot.

CVE-2023-5390: Additional Security Concerns

Another vulnerability, CVE-2023-5390, was also identified in the EpicMo protocol.

While details on this specific vulnerability are less comprehensive, it has been assigned a CVSS v3 score of 5.3, indicating a moderate severity level.

This vulnerability further highlights the potential risks associated with proprietary protocols in industrial environments.

Honeywell’s Response and Mitigation

In response to these findings, Honeywell has updated the Virtual UOC to address the identified vulnerabilities.

The Cybersecurity Infrastructure & Security Agency (CISA) has also published an advisory urging users to update their systems to the latest versions to mitigate the risks.

Honeywell’s swift action in addressing these vulnerabilities is commendable, but the incident is a stark reminder of the importance of robust security measures in industrial control systems.

The discovery of these vulnerabilities in Honeywell’s Virtual UOC underscores the critical need for continuous security assessments and updates in industrial environments.

As proprietary protocols like EpicMo are integral to the operation of ICS, ensuring their security is paramount to protecting industrial processes from potential manipulation or disruption.

Honeywell’s Virtual UOC users are strongly advised to update their systems and remain vigilant against potential threats.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...