CVE-2022-30315
Published: 28 July 2022
Summary
CVE-2022-30315 is a critical-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Honeywell Safety Manager Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 18.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Honeywell Experion PKS Safety Manager controllers (both SM and FSC families) through May 2022 contain an insufficient verification of data authenticity vulnerability (CWE-345) in the FSC runtime components and Safety Builder engineering software. The controllers accept control logic downloads over the unauthenticated Safety Builder protocol on a block-by-block basis; the logic consists of native machine code that is not cryptographically signed or validated before execution on the CPU module.
An attacker who can reach a controller over the Safety Builder protocol can supply arbitrary machine code, achieving unauthenticated remote code execution and denial-of-service conditions on the CPU. Because the underlying microprocessor lacks memory protection or privilege separation, successful exploitation grants full control of the runtime, enabling covert manipulation of safety logic comparable to the TRITON malware. The physical keyswitch position on the controller mitigates some but not all of this functionality.
CISA advisory ICSA-22-207-02 and associated Forescout disclosures recommend isolating Safety Manager systems from untrusted networks, restricting access to the Safety Builder protocol, and applying vendor firmware or configuration updates when available.
EPSS scores for the CVE rose from a low baseline to a peak of 0.0649 in January 2025 before receding, indicating a clear increase in observed exploitation interest well after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-52264
Vulnerability details
Honeywell Experion PKS Safety Manager (SM and FSC) through 2022-05-06 has Insufficient Verification of Data Authenticity. According to FSCT-2022-0053, there is a Honeywell Experion PKS Safety Manager insufficient logic security controls issue. The affected components are characterized as: Honeywell FSC…
more
runtime (FSC-CPU, QPP), Honeywell Safety Builder. The potential impact is: Remote Code Execution, Denial of Service. The Honeywell Experion PKS Safety Manager family of safety controllers utilize the unauthenticated Safety Builder protocol (FSCT-2022-0051) for engineering purposes, including downloading projects and control logic to the controller. Control logic is downloaded to the controller on a block-by-block basis. The logic that is downloaded consists of FLD code compiled to native machine code for the CPU module (which applies to both the Safety Manager and FSC families). Since this logic does not seem to be cryptographically authenticated, it allows an attacker capable of triggering a logic download to execute arbitrary machine code on the controller's CPU module in the context of the runtime. While the researchers could not verify this in detail, the researchers believe that the microprocessor underpinning the FSC and Safety Manager CPU modules is incapable of offering memory protection or privilege separation capabilities which would give an attacker full control of the CPU module. There is no authentication on control logic downloaded to the controller. Memory protection and privilege separation capabilities for the runtime are possibly lacking. The researchers confirmed the issues in question on Safety Manager R145.1 and R152.2 but suspect the issue affects all FSC and SM controllers and associated Safety Builder versions regardless of software or firmware revision. An attacker who can communicate with a Safety Manager controller via the Safety Builder protocol can execute arbitrary code without restrictions on the CPU module, allowing for covert manipulation of control operations and implanting capabilities similar to the TRITON malware (MITRE ATT&CK software ID S1009). A mitigating factor with regards to some, but not all, of the above functionality is that these require the Safety Manager physical keyswitch to be in the right position.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Directly requires independent verification of matching output before adverse decisions, mitigating insufficient authenticity checks on data from external sources.
Use of approved PKI certificates provides verifiable data authenticity and origin for communications and artifacts.
Mandates provision of authenticity and integrity artifacts that enable verification of name/address resolution data.
Requires explicit verification of data authenticity from authoritative sources, preventing acceptance of unauthenticated resolution responses.
Control requires verification of data authenticity/integrity (e.g., checksums) after aggregation/packing, directly reducing exploitation of insufficient verification before transmission.
Time synchronization supports reliable freshness verification when checking data authenticity across systems or components.
Mandates verification of data authenticity for software, firmware, and information.
Provenance documentation and monitoring directly enables verification of authenticity for components and data throughout their history.