CVE-2017-5139 – This vulnerability in Honeywell XL Web II contr... (How to Fix)

Q: What is the severity of CVE-2017-5139?

CVE-2017-5139 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Honeywell XL Web II controllers allows any user to retrieve passwords by accessing a specific URL due to plaintext password storage. Affected systems include Honeywell XL1000C500 and XLWeb 500 controllers with vulnerable firmware versions, potentially exposing critical building automation systems.

📋 TL;DR

This vulnerability in Honeywell XL Web II controllers allows any user to retrieve passwords by accessing a specific URL due to plaintext password storage. Affected systems include Honeywell XL1000C500 and XLWeb 500 controllers with vulnerable firmware versions, potentially exposing critical building automation systems.

💻 Affected Systems

Products:

Honeywell XL1000C500
Honeywell XLWeb 500

Versions: XL1000C500: XLWebExe-2-01-00 and prior; XLWeb 500: XLWebExe-1-02-08 and prior

Operating Systems: Embedded controller OS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both XL1000C500 and XLWeb 500 controller lines with vulnerable firmware versions.

📦 What is this software?

Xl Web Ii Controller by Honeywell

View all CVEs affecting Xl Web Ii Controller →

Xl Web Ii Controller by Honeywell

View all CVEs affecting Xl Web Ii Controller →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to building automation systems, enabling manipulation of HVAC, lighting, or physical security controls, potentially causing physical damage or safety hazards.

🟠

Likely Case

Unauthorized users access sensitive passwords, compromising system integrity and enabling further attacks on building management infrastructure.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to isolated network segments with no critical system exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only accessing a specific URL, making it trivial for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: XL1000C500: XLWebExe-2-02-00; XLWeb 500: XLWebExe-1-03-00

Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-17-033-01

Restart Required: Yes

Instructions:

1. Download updated firmware from Honeywell support portal. 2. Backup current configuration. 3. Apply firmware update via web interface or local console. 4. Restart controller. 5. Verify new firmware version.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate controllers from untrusted networks and restrict access to authorized IPs only.

Access Control Lists

all

Implement firewall rules to block unauthorized access to controller web interfaces.

🧯 If You Can't Patch

Implement strict network segmentation to isolate controllers from all untrusted networks
Deploy web application firewall rules to block access to vulnerable URL patterns

🔍 How to Verify

Check if Vulnerable:

Access controller web interface and attempt to retrieve password via known vulnerable URL patterns (specific URLs not disclosed for security).

Check Version:

Access controller web interface > System Information > Firmware Version

Verify Fix Applied:

Check firmware version in web interface matches patched versions: XL1000C500: XLWebExe-2-02-00 or later; XLWeb 500: XLWebExe-1-03-00 or later.

📡 Detection & Monitoring

Log Indicators:

Unusual access to password-related URLs in web server logs
Multiple failed authentication attempts followed by successful access

Network Indicators:

HTTP requests to controller URLs from unauthorized IP addresses
Unusual traffic patterns to controller web interface

SIEM Query:

source="controller_web_logs" AND (url="*password*" OR url="*credential*")

📊 Metadata

CVE ID: CVE-2017-5139

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-522

Published: February 13, 2017

Last Updated: April 20, 2025

🔗 References

http://www.securityfocus.com/bid/95971 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-033-01 Third Party Advisory,US Government Resource
http://www.securityfocus.com/bid/95971 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-033-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-5139, you might also want to check these: