CVE-2026-5433 PUBLISHED

Improper Sanitization in CNM Web Interface

Assigner: Honeywell
Reserved: 02.04.2026 Published: 21.05.2026 Updated: 21.05.2026

Honeywell Control Network Module (CNM) contains command injection vulnerability in the web interface. An attacker could exploit this vulnerability via command delimiters, potentially resulting in Remote Code Execution (RCE).

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.1

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Honeywell International Inc.
Product	Control Network Module (CNM)
Versions	Default: unaffected affected from 100.1 to 110.2 (incl.)

Credits

Andreas Krämer, BASF Digital Solutions GmbH finder
Martin Floeck, BASF Digital Solutions GmbH finder
Stefan Stahl, BASF Digital Solutions GmbH finder

References

https://process.honeywell.com/

Problem Types

CWE‑77 – Improper Neutralization of Special Elements

Impacts

CAPEC‑248 – Command Injection