In February 2015, Outpost24 identified two additional security issues in Honeywell XLWeb: a directory traversal flaw (CVE-2015-0984), and a default, unchangeable account. An attacker can authenticate on the FTP server using the default account, traverse the working directory by leveraging the path traversal bug, and upload a shell that allows them to execute OS commands, researchers said.
John Stock, technology program director at Outpost24, revealed during a talk at the Infosecurity Europe 2015 conference that only one company had patched the vulnerability he and Martin Jartelius, CSO of Outpost24, reported to Honeywell this year. The number has since increased to three (as of June 8), but that still shows a low patching rate considering that tens of systems are accessible on the Internet.
This is what makes critical infrastructure protection increasingly difficult: end-users are weary about installing vendor security updates for fear it may break mission critical functionality. Either that, or the people with the requisite expertise are no longer working at the company and there is nobody available who is fully capable of applying the update and mitigating any potential issues arising from the patch.