Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Honeywell Control Network Module (CNM) contains command injection vulnerability in the web interface. An attacker could exploit this vulnerability via command delimiters, potentially resulting in Remote Code Execution (RCE).
AnalysisAI
Remote code execution in Honeywell Control Network Module (CNM) versions 100.1 through 110.2 allows authenticated high-privilege attackers to inject arbitrary OS commands through the device's web interface using command delimiters. The flaw carries a CVSS 9.1 rating due to scope change and full CIA impact, and no public exploit identified at time of analysis, though the industrial-control context makes any RCE highly consequential. Honeywell has released a patch via its process.honeywell.com portal.
Technical ContextAI
The Control Network Module (CNM) is a Honeywell industrial communications gateway used in Experion PKS and related distributed control system (DCS) deployments to bridge process-control networks. The vulnerability is a classic command injection (CWE-78-class issue, though CWE is unlisted in source data) in the device's HTTP management interface: user-supplied input is concatenated into a shell or system invocation without adequate sanitization of delimiter characters such as ';', '|', '&', '$()', or backticks, allowing attacker-controlled strings to break out of the intended argument and execute additional commands in the underlying OS context. The affected CPE is cpe:2.3:a:honeywell_international_inc.:control_network_module_(cnm), confirming this is a Honeywell-branded application/firmware component rather than a generic third-party library.
RemediationAI
Apply the Honeywell-released patch obtained through the vendor's process automation support portal at https://process.honeywell.com/ - the input confirms a patch is available but does not name the fixed firmware build, so operators must retrieve the exact fixed version from Honeywell's security notification matched to their CNM revision. Until the patch is deployed, restrict network reachability to the CNM web interface by placing the device behind a management VLAN or jump host so only a hardened engineering workstation can reach the HTTP service, rotate and strengthen administrative credentials to neutralize the PR:H precondition, and enable logging/alerting on the CNM management interface to detect anomalous command strings; the trade-off of network segmentation is added latency for legitimate engineering access and potential disruption to remote diagnostic tooling, while credential rotation can temporarily break automation scripts that hardcode the old password.
An ActiveX control in HscRemoteDeploy.dll in Honeywell Enterprise Buildings Integrator (EBI) R310, R400.2, R410.1, and R
Directory traversal vulnerability in the FTP server on Honeywell Excel Web XL1000C50 52 I/O, XL1000C100 104 I/O, XL1000C
Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Command Injec
Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest
Honeywell Intermec PM23, PM42, PM43, PC23, PC43, PD43, and PC42 industrial printers before 10.11.013310 and 10.12.x befo
Multiple stack-based buffer overflows in (1) HWOPOSScale.ocx and (2) HWOPOSSCANNER.ocx in Honeywell OPOS Suite before 1.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Honeywell MB
Unauthenticated access to Honeywell IQ4x building controller HMI. CVSS 10.0.
An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-
An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-
Controller may be loaded with malicious firmware which could enable remote code execution. Rated critical severity (CVSS
Honeywell ControlEdge through R151.1 uses Hard-coded Credentials. Rated critical severity (CVSS 9.8), this vulnerability
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31253
GHSA-ww6q-r9c5-m444