Cyber Resilience

CVE-2025-2522

Medium

Published: 10 July 2025

Published
10 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0026 49.7th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2522 is a medium-severity Sensitive Information in Resource Not Removed Before Reuse (CWE-226) vulnerability. Its CVSS base score is 6.5 (Medium).

Operationally, ranked at the 49.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The Honeywell Experion PKS and OneWireless WDM contains Sensitive Information in Resource vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to a Communication Channel Manipulation, which could result in buffer reuse which…

more

may cause incorrect system behavior. Honeywell also recommends updating to the most recent version of Honeywell Experion PKS:520.2 TCU9 HF1 and 530.1 TCU3 HF1 and OneWireless: 322.5 and 331.1. The affected Experion PKS products are C300, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E. The Experion PKS versions affected are 520.1 before 520.2 TCU9 HF1 and 530 before 530 TCU3. The OneWireless WDM affected versions are 322.1 through 322.4 and 330.1 through 330.3.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

C200E. The Experion PKS
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-226

The eradication and cross-system identification steps ensure sensitive information is removed before resources are reused or further accessed.

addresses: CWE-226

Requiring sanitization of media prior to removal for off-site maintenance ensures sensitive information is removed before the resource is reused or accessed externally.

addresses: CWE-226

Procedures include sanitization, overwriting, and disposal requirements to remove sensitive data before media reuse or release.

addresses: CWE-226

Requiring sanitization prior to reuse directly ensures sensitive information is removed from resources before they are reused by others.

addresses: CWE-226

Downgrading enables reuse of media at lower security levels, and the mandated process ensures sensitive information is removed beforehand to prevent exposure on reused resources.

addresses: CWE-226

Directly requires removal of sensitive data from resources before reuse or reallocation to another subject, eliminating residual information transfer.

addresses: CWE-226

Explicit retention limits and destruction rules reduce the persistence of sensitive information in reusable resources.

addresses: CWE-226

Periodic quality checks and deletion ensure sensitive PII is removed from resources prior to reuse or retention beyond its valid lifetime.

References