Description
Honeywell Control
Network Module (CNM) contains command injection vulnerability
in the web interface. An attacker could exploit this vulnerability via command
delimiters, potentially resulting in Remote Code Execution (RCE).
Published: 2026-05-21
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper sanitization flaw that allows an attacker to inject arbitrary command delimiters through the CNM web interface, leading to Remote Code Execution. The weakness permits execution of malicious commands outside the intended context, potentially compromising system integrity and confidentiality.

Affected Systems

Honeywell Control Network Module is affected. The specific product name is Control Network Module (CNM) from Honeywell International Inc. Version information is not disclosed, indicating that the flaw may exist across multiple or all current releases.

Risk and Exploitability

The CVSS score of 9.1 indicates critical severity, and although EPSS data is not available, the risk remains significant. The vulnerability is exploitable remotely via the web interface; the description does not specify an authentication requirement, so it is inferred that the web interface may be accessible without specific credentials or that authentication may not mitigate the flaw. Based on the description, the likely attack vector is through command delimiters injected via the web interface. The absence of a KEV listing does not reduce its threat, as the nature of RCE enables a wide range of malicious outcomes.

Generated by OpenCVE AI on May 21, 2026 at 11:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or firmware update for the CNM as soon as it becomes available
  • If a patch is not yet released, limit external network access to the CNM web interface by implementing firewall rules or placing it behind a VPN
  • Disable or remove the web interface capability if the device can operate without it, or restrict it to trusted local management only

Generated by OpenCVE AI on May 21, 2026 at 11:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://process.honeywell.com/ cve-icon cve-icon
History

Thu, 21 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 21 May 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78

Thu, 21 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Honeywell Control Network Module (CNM) contains command injection vulnerability in the web interface. An attacker could exploit this vulnerability via command delimiters, potentially resulting in Remote Code Execution (RCE).
Title Improper Sanitization in CNM Web Interface
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Honeywell

Published:

Updated: 2026-05-21T12:38:52.263Z

Reserved: 2026-04-02T16:12:22.574Z

Link: CVE-2026-5433

cve-icon Vulnrichment

Updated: 2026-05-21T12:38:46.162Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-21T09:16:30.270

Modified: 2026-05-21T15:26:35.653

Link: CVE-2026-5433

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T11:30:06Z

Weaknesses