Ramat Gan, Israel — Cybersecurity firm SCADAfence has identified previously unknown vulnerabilities in widely deployed building management system devices, prompting U.S. authorities to issue the first-ever security advisories for the affected products.
According to SCADAfence, its research team uncovered multiple critical flaws in Alerton industrial Building Management System (BMS) devices, which are owned by Honeywell. Following the findings, the National Institute of Standards and Technology issued four new Common Vulnerabilities and Exposures, marking the first time such weaknesses have been formally recorded for Alerton systems.
One of the vulnerabilities received a severity score of 8.8, placing it in the high-risk category and signaling the potential for serious impact if exploited.
The vulnerabilities affect Alerton’s Ascent product suite, which has been in use since 2014 and is commonly deployed in commercial and industrial buildings to control heating, ventilation, air conditioning, and other critical systems. Security researchers warn that if left unpatched, the flaws could allow unauthorized users to remotely access controllers and alter system configurations without detection.
SCADAfence said the changes made through these exploits would not appear in the system’s user interface, making malicious activity difficult to identify and potentially allowing attackers to manipulate building operations over long periods.
“These vulnerabilities could lead to a major cyber incident if they are not addressed,” said SCADAfence Chief Executive Officer Elad Ben-Meir. He added that the company’s research is part of an ongoing effort to strengthen the security of operational technology networks that underpin critical infrastructure.
The research identified two primary categories of weaknesses. One allows unauthenticated remote users to change device configurations by sending specially crafted network packets, effectively altering how controllers operate without alerting administrators. The second enables unauthenticated programming changes, allowing attackers to upload or modify code on controllers and disrupt or disable normal operations until systems are manually restored.
Security experts warn that exploitation of these flaws could have real-world consequences across multiple sectors. Potential scenarios include temperature manipulation at medical facilities, disruption of pharmaceutical manufacturing processes, overheating in data centers, unsafe conditions in chemical plants, and food safety risks in production facilities that rely on tightly controlled environments.
Any organization operating facilities with the affected Ascent BMS systems could be exposed, according to SCADAfence. The company is urging operators to take immediate defensive measures, including isolating operational technology networks, tightening firewall rules, disabling unnecessary network protocols, and monitoring for suspicious activity on building automation systems.
Alerton has been a subsidiary of Honeywell since 2005. SCADAfence said it worked through responsible disclosure channels to report the vulnerabilities before public release.
The discovery highlights growing concern among cybersecurity professionals that legacy industrial and building automation systems have not kept pace with modern security threats, even as they become increasingly connected to enterprise networks and the internet.
Industry analysts say the findings underscore the need for stronger oversight, regular security testing, and updated standards to protect the systems that control critical infrastructure worldwide.
