CVE-2026-5433 (GCVE-0-2026-5433)
Vulnerability from cvelistv5 – Published: 2026-05-21 08:35 – Updated: 2026-05-21 12:38
VLAI?
Title
Improper Sanitization in CNM Web Interface
Summary
Honeywell Control
Network Module (CNM) contains command injection vulnerability
in the web interface. An attacker could exploit this vulnerability via command
delimiters, potentially resulting in Remote Code Execution (RCE).
Severity ?
9.1 (Critical)
CWE
- CWE‑77 – Improper Neutralization of Special Elements
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://process.honeywell.com/ | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Honeywell International Inc. | Control Network Module (CNM) |
Affected:
100.1 , ≤ 110.2
(cpe)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5433",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T12:38:39.246019Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T12:38:52.263Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"CNM"
],
"product": "Control Network Module (CNM)",
"vendor": "Honeywell International Inc.",
"versions": [
{
"lessThanOrEqual": "110.2",
"status": "affected",
"version": "100.1",
"versionType": "cpe"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Andreas Kr\u00e4mer, BASF Digital Solutions GmbH"
},
{
"lang": "en",
"type": "finder",
"value": "Martin Floeck, BASF Digital Solutions GmbH"
},
{
"lang": "en",
"type": "finder",
"value": "Stefan Stahl, BASF Digital Solutions GmbH"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eHoneywell Control\nNetwork Module (CNM)\u0026nbsp;contains command injection vulnerability\nin the web interface. An attacker could exploit this vulnerability via command\ndelimiters, potentially resulting in Remote Code Execution (RCE).\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Honeywell Control\nNetwork Module (CNM)\u00a0contains command injection vulnerability\nin the web interface. An attacker could exploit this vulnerability via command\ndelimiters, potentially resulting in Remote Code Execution (RCE)."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "CAPEC\u2011248 \u2013 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE\u201177 \u2013 Improper Neutralization of Special Elements",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T08:35:31.438Z",
"orgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
"shortName": "Honeywell"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://process.honeywell.com/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Sanitization in CNM Web Interface",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
"assignerShortName": "Honeywell",
"cveId": "CVE-2026-5433",
"datePublished": "2026-05-21T08:35:31.438Z",
"dateReserved": "2026-04-02T16:12:22.574Z",
"dateUpdated": "2026-05-21T12:38:52.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-5433",
"date": "2026-05-21",
"epss": "0.0026",
"percentile": "0.4942"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-5433\",\"sourceIdentifier\":\"psirt@honeywell.com\",\"published\":\"2026-05-21T09:16:30.270\",\"lastModified\":\"2026-05-21T15:26:35.653\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Honeywell Control\\nNetwork Module (CNM)\u00a0contains command injection vulnerability\\nin the web interface. An attacker could exploit this vulnerability via command\\ndelimiters, potentially resulting in Remote Code Execution (RCE).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@honeywell.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0}]},\"references\":[{\"url\":\"https://process.honeywell.com/\",\"source\":\"psirt@honeywell.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-5433\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-21T12:38:39.246019Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-21T12:38:46.162Z\"}}], \"cna\": {\"title\": \"Improper Sanitization in CNM Web Interface\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Andreas Kr\\u00e4mer, BASF Digital Solutions GmbH\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Martin Floeck, BASF Digital Solutions GmbH\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Stefan Stahl, BASF Digital Solutions GmbH\"}], \"impacts\": [{\"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC\\u2011248 \\u2013 Command Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Honeywell International Inc.\", \"product\": \"Control Network Module (CNM)\", \"versions\": [{\"status\": \"affected\", \"version\": \"100.1\", \"versionType\": \"cpe\", \"lessThanOrEqual\": \"110.2\"}], \"platforms\": [\"CNM\"], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://process.honeywell.com/\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.2\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Honeywell Control\\nNetwork Module (CNM)\\u00a0contains command injection vulnerability\\nin the web interface. An attacker could exploit this vulnerability via command\\ndelimiters, potentially resulting in Remote Code Execution (RCE).\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eHoneywell Control\\nNetwork Module (CNM)\u0026nbsp;contains command injection vulnerability\\nin the web interface. An attacker could exploit this vulnerability via command\\ndelimiters, potentially resulting in Remote Code Execution (RCE).\u0026nbsp;\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE\\u201177 \\u2013 Improper Neutralization of Special Elements\"}]}], \"providerMetadata\": {\"orgId\": \"0dc86260-d7e3-4e81-ba06-3508e030ce8d\", \"shortName\": \"Honeywell\", \"dateUpdated\": \"2026-05-21T08:35:31.438Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-5433\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-21T12:38:52.263Z\", \"dateReserved\": \"2026-04-02T16:12:22.574Z\", \"assignerOrgId\": \"0dc86260-d7e3-4e81-ba06-3508e030ce8d\", \"datePublished\": \"2026-05-21T08:35:31.438Z\", \"assignerShortName\": \"Honeywell\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…