CVE-2025-2522
Published: 10 July 2025
Summary
CVE-2025-2522 is a medium-severity Sensitive Information in Resource Not Removed Before Reuse (CWE-226) vulnerability. Its CVSS base score is 6.5 (Medium).
Operationally, ranked at the 49.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21066
Vulnerability details
The Honeywell Experion PKS and OneWireless WDM contains Sensitive Information in Resource vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to a Communication Channel Manipulation, which could result in buffer reuse which…
more
may cause incorrect system behavior. Honeywell also recommends updating to the most recent version of Honeywell Experion PKS:520.2 TCU9 HF1 and 530.1 TCU3 HF1 and OneWireless: 322.5 and 331.1. The affected Experion PKS products are C300, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E. The Experion PKS versions affected are 520.1 before 520.2 TCU9 HF1 and 530 before 530 TCU3. The OneWireless WDM affected versions are 322.1 through 322.4 and 330.1 through 330.3.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
The eradication and cross-system identification steps ensure sensitive information is removed before resources are reused or further accessed.
Requiring sanitization of media prior to removal for off-site maintenance ensures sensitive information is removed before the resource is reused or accessed externally.
Procedures include sanitization, overwriting, and disposal requirements to remove sensitive data before media reuse or release.
Requiring sanitization prior to reuse directly ensures sensitive information is removed from resources before they are reused by others.
Downgrading enables reuse of media at lower security levels, and the mandated process ensures sensitive information is removed beforehand to prevent exposure on reused resources.
Directly requires removal of sensitive data from resources before reuse or reallocation to another subject, eliminating residual information transfer.
Explicit retention limits and destruction rules reduce the persistence of sensitive information in reusable resources.
Periodic quality checks and deletion ensure sensitive PII is removed from resources prior to reuse or retention beyond its valid lifetime.