CISA advisory ICSA-26-140-01 covers multiple vulnerabilities in Honeywell’s Experion Process Knowledge System (PKS) and C300 Series controller. The Experion PKS is one of the most widely deployed distributed control system (DCS) platforms in the world, with significant installations in oil and gas refineries, petrochemical plants, chemical processing, and pharmaceutical manufacturing. The C300 is the primary field controller in the PKS architecture, executing the process control logic that manages continuous industrial processes.
The disclosed vulnerabilities include a critical authentication bypass and a heap buffer overflow that, when chained, allow an unauthenticated attacker on the OT network to achieve code execution on the C300 controller.
Experion PKS Architecture
In a typical Experion deployment, C300 controllers connect over a dedicated control network (Experion-standard Ethernet, typically a 100Mbps star topology) to server nodes running the Experion application, historian, and operator station software. The C300 communicates with field I/O modules (Series C I/O) and executes control strategies — PID loops, interlocking, sequence logic — at scan rates typically ranging from 100ms to 1s.
The FTE (Fault Tolerant Ethernet) network carrying controller communications is logically separated from the supervisory/HMI network, but both ultimately connect through the Experion application server. Engineering workstations with Honeywell Control Builder software connect to the application server to deploy and modify control strategies on C300 controllers.
The attack path for these vulnerabilities operates at the Experion communication layer between the application server and C300 controllers.
The Vulnerabilities
CVE-2026-6891 — Authentication Bypass in Experion Communication Protocol (CVSS 9.3)
Honeywell’s proprietary communication protocol used between the Experion application server and C300 controllers contains an authentication bypass condition. Certain protocol operations — including device enumeration and initial handshake sequences — do not require successful completion of the authentication exchange. An attacker who can generate valid-looking protocol packets on the control network can enumerate connected C300 devices and initiate communication sessions without presenting valid credentials.
This flaw effectively removes the authentication barrier for subsequent exploitation.
CVE-2026-6892 — Heap Buffer Overflow in C300 Protocol Handler (CVSS 8.8)
Following authentication bypass, the C300’s protocol handler for incoming configuration and control messages contains a heap buffer overflow triggered by an oversized message payload. The overflow can corrupt adjacent heap structures. With heap layout knowledge derived from the device enumeration step, an attacker can influence the overflow to achieve code execution in the context of the C300’s real-time operating system.
Code execution on a C300 in production means: the ability to modify executing control strategies, inject false process values into the historian and HMI, block safety interlock command execution, and persist across controller power cycles via flash storage modification.
Risk Assessment for OT Operators
For operators with Experion PKS deployments, the critical risk factor is whether the control network is accessible from paths that could be traversed by an attacker: vendor remote access networks, shared IT/OT jump hosts, or — in worst-case misconfigured environments — directly from corporate IT segments.
The direct consequence of C300 compromise varies by process. In petrochemical and oil refining applications, loss of DCS controller integrity can result in process excursions, equipment damage, or process safety system activation. In less sensitive manufacturing applications, the impact may be limited to production disruption.
Remediation
Firmware updates: Honeywell has released C300 controller firmware and Experion PKS server updates addressing both CVEs. The update process requires a planned maintenance shutdown for affected control loops. Honeywell’s Cyber Security Advisory portal contains version-specific guidance.
Network isolation: Ensure the Experion FTE/control network is isolated from all external access paths. Engineering workstation access should route through a dedicated jump server with MFA, session logging, and time-limited access approval workflows.
Protocol filtering: Honeywell provides guidance on deploying Experion-aware network filtering at the boundary of the control network. Some next-generation OT firewalls include protocol awareness for Honeywell Experion communications.
Disable unused services: Review enabled services on the Experion application server and C300 controllers. Disable any services not required for operational function.
References
- CISA Advisory ICSA-26-140-01: https://www.cisa.gov/ics-advisories
- Honeywell Cyber Security Advisory portal: https://www.honeywell.com/en-us/product-security
- ISA/IEC 62443-3-3 (DCS security requirements): https://www.isa.org/isa99