Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authentication for Critical Function vulnerability in Honeywell Handheld Scanners allows Authentication Abuse.This issue affects Handheld Scanners: from C1 Base(Ingenic x1000) before GK000432BAA, from D1 Base(Ingenic x1600) before HE000085BAA, from A1/B1 Base(IMX25) before BK000763BAA_BK000765BAA_CU000101BAA.
This vulnerability could allow a remote attacker within Bluetooth range of the scanner's base station has the capability to remotely execute system commands on the host connected to the base station without authentication. This issue has been assigned CVE-2026-4272 https://nvd.nist.gov/vuln/detail/CVE-2026-4272 and rated with a severity of High. Honeywell strongly recommends that users upgrade to the latest version identified to resolve the vulnerability.
AnalysisAI
Remote unauthenticated command execution in Honeywell Handheld Scanner base stations (C1/D1/A1/B1 models) allows attackers within Bluetooth range to execute system commands on connected host systems without authentication. Affects C1 Base (Ingenic x1000) before GK000432BAA, D1 Base (Ingenic x1600) before HE000085BAA, and A1/B1 Base (IMX25) before BK000763BAA/BK000765BAA/CU000101BAA. CVSS 8.1 (High) reflects high confidentiality and integrity impact with network attack vector requiring user interaction. No public exploit identified at time of analysis, though the missing authentication (CWE-306) combined with proximity-based Bluetooth attack vector creates significant risk for environments using these industrial scanning devices.
Technical ContextAI
This vulnerability stems from missing authentication for critical functions (CWE-306) in the Bluetooth communication protocol between Honeywell handheld scanner base stations and connected host systems. The affected base stations use various embedded processors: C1 models use Ingenic x1000 SoCs, D1 models use Ingenic x1600 SoCs, and A1/B1 models use Freescale i.MX25 processors. The absence of authentication controls on critical command execution interfaces allows the base station to accept and relay system commands from unauthorized Bluetooth-capable devices within radio range (typically 10-100 meters depending on Bluetooth class). The vulnerability exploits the trust relationship between the scanner base and the connected host system, enabling attackers to leverage the base station as a command relay without presenting valid credentials.
RemediationAI
Honeywell has released patched firmware versions addressing this authentication bypass vulnerability. Organizations should immediately upgrade C1 Base scanners to firmware version GK000432BAA or later, D1 Base scanners to HE000085BAA or later, and A1/B1 Base scanners to BK000763BAA, BK000765BAA, or CU000101BAA as appropriate for their specific model. Firmware updates should be obtained through authorized Honeywell support channels or partner distributors. Until patches can be deployed, organizations should implement compensating controls including physically securing scanner base stations in controlled-access areas to limit Bluetooth proximity attacks, disabling Bluetooth functionality if alternative connectivity options exist, monitoring host systems connected to scanner bases for unauthorized command execution, and restricting base station deployments to isolated network segments where command execution cannot reach critical systems. Consult Honeywell PSIRT advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-4272 for additional vendor-specific guidance and firmware acquisition procedures.
An ActiveX control in HscRemoteDeploy.dll in Honeywell Enterprise Buildings Integrator (EBI) R310, R400.2, R410.1, and R
Directory traversal vulnerability in the FTP server on Honeywell Excel Web XL1000C50 52 I/O, XL1000C100 104 I/O, XL1000C
Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injec
Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest
Honeywell Intermec PM23, PM42, PM43, PC23, PC43, PD43, and PC42 industrial printers before 10.11.013310 and 10.12.x befo
Multiple stack-based buffer overflows in (1) HWOPOSScale.ocx and (2) HWOPOSSCANNER.ocx in Honeywell OPOS Suite before 1.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Honeywell MB
Unauthenticated access to Honeywell IQ4x building controller HMI. CVSS 10.0.
An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-
An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-
Controller may be loaded with malicious firmware which could enable remote code execution. Rated critical severity (CVSS
Honeywell ControlEdge through R151.1 uses Hard-coded Credentials. Rated critical severity (CVSS 9.8), this vulnerability
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19128