CVE-2017-5142 – This vulnerability in Honeywell XL Web II contr... (How to Fix)

Q: What is the severity of CVE-2017-5142?

CVE-2017-5142 has a CVSS score of 9.1 (CRITICAL). This vulnerability in Honeywell XL Web II controllers allows low-privileged users to access privileged functions by visiting a specific URL, enabling unauthorized parameter changes. It affects Honeywell XL1000C500 and XLWeb 500 controllers with specific firmware versions. This is an improper privilege management issue that could allow attackers to manipulate industrial control system parameters.

📋 TL;DR

This vulnerability in Honeywell XL Web II controllers allows low-privileged users to access privileged functions by visiting a specific URL, enabling unauthorized parameter changes. It affects Honeywell XL1000C500 and XLWeb 500 controllers with specific firmware versions. This is an improper privilege management issue that could allow attackers to manipulate industrial control system parameters.

💻 Affected Systems

Products:

Honeywell XL1000C500 XL Web II controller
Honeywell XLWeb 500 controller

Versions: XL1000C500: XLWebExe-2-01-00 and prior; XLWeb 500: XLWebExe-1-02-08 and prior

Operating Systems: Embedded/Proprietary

Default Config Vulnerable: ⚠️ Yes

Notes: Affects industrial control systems used in building automation and other industrial applications.

📦 What is this software?

Xl Web Ii Controller by Honeywell

View all CVEs affecting Xl Web Ii Controller →

Xl Web Ii Controller by Honeywell

View all CVEs affecting Xl Web Ii Controller →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could modify critical industrial control parameters, potentially causing physical damage, safety hazards, or operational disruption in industrial environments.

🟠

Likely Case

Unauthorized users could change system configurations, disrupt operations, or gain elevated privileges within the control system.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to isolated network segments with minimal operational disruption.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires low-privileged access and knowledge of specific URL. No public exploit code identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: XL1000C500: XLWebExe-2-02-00 or later; XLWeb 500: XLWebExe-1-02-09 or later

Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-17-033-01

Restart Required: Yes

Instructions:

1. Download updated firmware from Honeywell support portal. 2. Backup current configuration. 3. Apply firmware update following vendor instructions. 4. Restart controller. 5. Verify proper operation.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected controllers from general network access and restrict to necessary connections only.

Access Control Restrictions

all

Implement strict access controls and limit user privileges to minimum necessary for operations.

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected controllers
Apply principle of least privilege and audit all user accounts

🔍 How to Verify

Check if Vulnerable:

Check firmware version via controller web interface or management console. Compare against affected versions.

Check Version:

Check via controller web interface or vendor-specific management tools

Verify Fix Applied:

Verify firmware version is updated to patched versions and test that low-privileged users cannot access privileged functions.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to privileged URLs
Unexpected parameter changes by low-privileged users

Network Indicators:

HTTP requests to specific controller URLs from unauthorized users

SIEM Query:

source="controller_logs" AND (url_path="*privileged*" OR user_privilege="low") AND action="modify"

📊 Metadata

CVE ID: CVE-2017-5142

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

CWE: CWE-269

Published: February 13, 2017

Last Updated: April 20, 2025

🔗 References

http://www.securityfocus.com/bid/95971 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-033-01 Third Party Advisory,US Government Resource
http://www.securityfocus.com/bid/95971 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-033-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-5142, you might also want to check these: