CVE-2023-51605 – This XXE vulnerability in Honeywell Saia PG5 Co... (How to Fix)

Q: What is the severity of CVE-2023-51605?

CVE-2023-51605 has a CVSS score of 6.5 (MEDIUM). This XXE vulnerability in Honeywell Saia PG5 Controls Suite allows attackers to read sensitive files from the system when users open malicious XML files. The vulnerability affects installations where users process untrusted XML documents. User interaction is required as victims must open a malicious file or visit a malicious webpage.

📋 TL;DR

This XXE vulnerability in Honeywell Saia PG5 Controls Suite allows attackers to read sensitive files from the system when users open malicious XML files. The vulnerability affects installations where users process untrusted XML documents. User interaction is required as victims must open a malicious file or visit a malicious webpage.

💻 Affected Systems

Products:

Honeywell Saia PG5 Controls Suite

Versions: Versions prior to the security update

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects installations where XML file processing is enabled. User interaction required for exploitation.

📦 What is this software?

Saia Pg5 Controls Suite by Honeywell

View all CVEs affecting Saia Pg5 Controls Suite →

Saia Pg5 Controls Suite by Honeywell

View all CVEs affecting Saia Pg5 Controls Suite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system file disclosure including configuration files, credentials, and sensitive operational data from the control system environment.

🟠

Likely Case

Disclosure of local files accessible to the application process, potentially including configuration files and system information.

🟢

If Mitigated

Limited impact with proper network segmentation and user training to avoid opening untrusted files.

🌐 Internet-Facing: MEDIUM - Requires user interaction but could be delivered via web interfaces or email attachments.

🏢 Internal Only: HIGH - Internal users could be tricked into opening malicious files, potentially exposing sensitive control system data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction but is technically simple once a malicious file is opened.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Honeywell security advisory for specific version

Vendor Advisory: https://www.honeywell.com/us/en/support/security/cyber-security-updates

Restart Required: Yes

Instructions:

1. Check Honeywell security advisory for specific patch version
2. Download and install the security update from Honeywell
3. Restart the application and verify functionality

🔧 Temporary Workarounds

Disable XML external entity processing

all

Configure XML parser to disable external entity resolution

Set XML parser properties: FEATURE_SECURE_PROCESSING = true, DISALLOW_DOCTYPE_DECL = true

Restrict file access

windows

Limit application permissions to prevent file system access

Run application with least privilege user account
Set file system permissions to restrict access

🧯 If You Can't Patch

Implement strict user training to never open untrusted XML files
Deploy application whitelisting to prevent execution of unauthorized applications

🔍 How to Verify

Check if Vulnerable:

Check application version against Honeywell's patched version list in security advisory

Check Version:

Check Help > About in Saia PG5 Controls Suite application

Verify Fix Applied:

Verify installed version matches or exceeds patched version from Honeywell advisory

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns by the application
Multiple failed file access attempts
Application crashes during XML processing

Network Indicators:

Outbound connections to unusual URIs during XML processing
Data exfiltration patterns

SIEM Query:

source="application_logs" AND (process="SaiaPG5" OR process="pg5") AND (event="file_access" OR event="xml_parse") AND result="success" AND file_path CONTAINS "file://"

📊 Metadata

CVE ID: CVE-2023-51605

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-611

Published: May 3, 2024

Last Updated: March 12, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-23-1854/ Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-1854/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-51605, you might also want to check these: