CVE-2022-30318
published 2022-08-31CVE-2022-30318: Honeywell ControlEdge through R151.1 uses Hard-coded Credentials. According to FSCT-2022-0056, there is a Honeywell ControlEdge hardcoded credentials issue…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.34%
67.9th percentile
Honeywell ControlEdge through R151.1 uses Hard-coded Credentials. According to FSCT-2022-0056, there is a Honeywell ControlEdge hardcoded credentials issue. The affected components are characterized as: SSH. The potential impact is: Remote code execution, manipulate configuration, denial of service. The Honeywell ControlEdge PLC and RTU product line exposes an SSH service on port 22/TCP. Login as root to this service is permitted and credentials for the root user are hardcoded without automatically changing them upon first commissioning. The credentials for the SSH service are hardcoded in the firmware. The credentials grant an attacker access to a root shell on the PLC/RTU, allowing for remote code execution, configuration manipulation and denial of service.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| honeywell | controledge_plc_firmware | < r151.2 | r151.2 |
| honeywell | controledge_rtu_firmware | < r151.2 | r151.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthorized or anomalous root SSH logins to Honeywell ControlEdge devices on port 22/TCP, which may indicate exploitation of hardcoded root credentials. ↗
- →Monitor for SSH sessions to ControlEdge PLCs/RTUs originating from unexpected or external network sources, especially those authenticating as root. ↗
- →Alert on any internet-facing or firewall-exposed SSH (port 22/TCP) connections to ControlEdge devices running firmware versions prior to 151.2. ↗
- ·Hardcoded root credentials are embedded in the firmware itself and are not rotated on first commissioning, meaning all unpatched devices share the same static credentials. ↗
- ·No known public exploits specifically target this vulnerability at time of advisory publication, but the CVSS v3 score is 9.8 (AV:N/AC:L/PR:N/UI:N) indicating trivial remote exploitation. ↗
- ·The vulnerability is classified as Missing Authentication for Critical Function (CWE-798); the root account is accessible with no per-device credential differentiation until upgrade to version 151.2. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2jhj-7g8h-j3h6: Honeywell ControlEdge through R151
ghsa_unreviewed·2022-09-01
CVE-2022-30318 [CRITICAL] CWE-798 GHSA-2jhj-7g8h-j3h6: Honeywell ControlEdge through R151
Honeywell ControlEdge through R151.1 uses Hard-coded Credentials. According to FSCT-2022-0056, there is a Honeywell ControlEdge hardcoded credentials issue. The affected components are characterized as: SSH. The potential impact is: Remote code execution, manipulate configuration, denial of service. The Honeywell ControlEdge PLC and RTU product line exposes an SSH service on port 22/TCP. Login as root to this service is permitted and credentials for the root user are hardcoded without automatically changing them upon first commissioning. The credentials for the SSH service are hardcoded in the firmware. The credentials grant an attacker access to a root shell on the PLC/RTU, allowing for remote code execution, configuration manipulation and denial of service.
CISA ICS
Honeywell ControlEdge
cisa_ics·2022-08-30·CVSS 9.8
[CRITICAL] Honeywell ControlEdge
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Honeywell ControlEdge
Last RevisedAugust 30, 2022
Alert CodeICSA-22-242-06
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Honeywell
- Equipment: ControlEdge
- Vulnerability: Missing Authentication for Critical Function
CISA is aware of a public report known as “OT:ICEFALL” that details vulnerabilities found in multiple operational technology (OT) vendors. CISA is issuing this advisory to provide notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity
No detection rules found.
No public exploits indexed.
2022-08-31
Published