Cyber Resilience

CVE-2025-2523

Critical

Published: 10 July 2025

Published
10 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
EPSS Score 0.0118 79.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2523 is a critical-severity Wrap or Wraparound (CWE-191) vulnerability. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability CVE-2025-2523 is an integer underflow (CWE-191) in the Control Data Access (CDA) component of Honeywell Experion PKS and OneWireless WDM. Affected products include C300 PCNT02, C300 PCNT05, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E controllers running Experion PKS versions 520.1 through 520.2 TCU9 and 530 through 530 TCU3, as well as OneWireless WDM versions 322.1 through 322.4 and 330.1 through 330.3. The flaw can produce a communication channel manipulation condition during subtraction operations.

An unauthenticated remote attacker can exploit the issue over the network without user interaction to achieve remote code execution, with impacts on confidentiality, integrity, and availability reflected in the CVSS 9.4 score.

Honeywell advisory guidance directs users to apply the specified hotfixes and version upgrades—Experion PKS 520.2 TCU9 HF1 or 530.1 TCU3 HF1 and OneWireless WDM 322.5 or 331.1—to remediate the vulnerability.

EPSS remains low and unchanged at a peak of 0.0118, indicating no material increase in observed exploitation interest after disclosure.

EU & UK References

Vulnerability details

The Honeywell Experion PKS and OneWireless WDM contains an Integer Underflow vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to a Communication Channel Manipulation, which could result in a failure during subtraction…

more

allowing remote code execution. Honeywell recommends updating to the most recent version of Honeywell Experion PKS:520.2 TCU9 HF1 and 530.1 TCU3 HF1 and OneWireless: 322.5 and 331.1. The affected Experion PKS products are C300 PCNT02, C300 PCNT05, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E. The Experion PKS versions affected are from 520.1 through 520.2 TCU9 and from 530 through 530 TCU3. The OneWireless WDM affected versions are 322.1 through 322.4 and 330.1 through 330.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote network exploitation of CDA component enabling RCE maps directly to T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33845Shared CWE-191
CVE-2026-37534Shared CWE-191
CVE-2025-3947Shared CWE-191
CVE-2024-10838Shared CWE-191
CVE-2026-44060Shared CWE-191
CVE-2025-0728Shared CWE-191
CVE-2026-5720Shared CWE-191
CVE-2025-67269Shared CWE-191
CVE-2025-29909Shared CWE-191
CVE-2026-33184Shared CWE-191

Affected Assets

C200E. The Experion PKS
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of software flaws like this integer underflow vulnerability via patching to recommended versions such as Experion PKS 520.2 TCU9 HF1.

prevent

Mandates validation of information inputs to the Control Data Access component, preventing exploitation through malformed data causing integer underflow during subtraction operations.

prevent

Enforces boundary protection to monitor and control communications at system boundaries, blocking unauthenticated remote network access required to exploit this vulnerability.

References