CVE-2023-5389
CVE-2023-5389 is a critical-severity vulnerability in Honeywell Controledge Unit Operations Controller Firmware with a CVSS 3.x base score of 9.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-749.
Key facts
- Severity: Critical (CVSS 3.x base score 9.1)
- EPSS exploit prediction: 1% (51st percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2023-57704
- Weakness: CWE-749
- Affected product: Honeywell Controledge Unit Operations Controller Firmware
- Published:
- Last modified:
Description
An attacker could potentially exploit this vulnerability, leading to the ability to modify files on Honeywell Experion ControlEdge VirtualUOC and ControlEdge UOC . This exploit could be used to write a file that may result in unexpected behavior based on configuration changes or updating of files that could result in subsequent execution of a malicious application if triggered. Honeywell recommends updating to the most recent version of the product. See Honeywell Security Notification for recommendations on upgrading and versioning.
Frequently asked questions
- What is CVE-2023-5389?
- An attacker could potentially exploit this vulnerability, leading to the ability to modify files on Honeywell Experion ControlEdge VirtualUOC and ControlEdge UOC . This exploit could be used to write a file that may result in unexpected behavior based on configuration changes or updating of files that could result in subsequent execution of a malicious application if triggered. Honeywell recommends updating to the most recent version of the product. See Honeywell Security Notification for recommendations on upgrading and versioning.
- How severe is CVE-2023-5389?
- CVE-2023-5389 has a CVSS 3.x base score of 9.1, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity high, and availability high.
- Is CVE-2023-5389 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (51st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-5389?
- CVE-2023-5389 primarily affects Honeywell Controledge Unit Operations Controller Firmware. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-5389?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2023-5389 have an EU (EUVD) identifier?
- Yes. CVE-2023-5389 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-57704.
- When was CVE-2023-5389 published?
- CVE-2023-5389 was published on 2024-01-30 and last updated on 2026-06-17.
References
Affected products (2)
- cpe:2.3:o:honeywell:controledge_unit_operations_controller_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:honeywell:controledge_virtual_unit_operations_controller_firmware:-:*:*:*:*:*:*:*
More vulnerabilities in Honeywell Controledge Unit Operations Controller Firmware
- CVE-2023-5390 — Medium (CVSS 5.3): An attacker could potentially exploit this vulnerability, leading to files being read from the Honeywell Experion…
All CVEs affecting Honeywell Controledge Unit Operations Controller Firmware →
Other CWE-749 vulnerabilities
- CVE-2023-40151 — Critical (CVSS 10.0): When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK…
- CVE-2026-55454 — Critical (CVSS 9.9): Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy…
- CVE-2026-30957 — Critical (CVSS 9.9): OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors…
- CVE-2026-30921 — Critical (CVSS 9.9): OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors…
- CVE-2019-18342 — Critical (CVSS 9.9): A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The SFTP service (default…
- CVE-2025-59403 — Critical (CVSS 9.8): The Flock Safety Android Collins application (aka com.flocksafety.android.collins) 6.35.31 for Android lacks…