CVE-2025-2605
Published: 02 May 2025
Summary
CVE-2025-2605 is a critical-severity OS Command Injection (CWE-78) vulnerability in Honeywell Mb-Secure Firmware. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 16.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is an OS command injection flaw, tracked as CWE-78, that permits privilege abuse in Honeywell MB-Secure. It affects MB-Secure versions from V11.04 before V12.53 and MB-Secure PRO versions from V01.06 before V03.09, carrying a CVSS 3.1 score of 9.9.
An attacker with low-privileged network access and no user interaction required can inject operating-system commands, resulting in full compromise of confidentiality, integrity, and availability with scope extension beyond the vulnerable component.
Honeywell directs customers to update MB-Secure to V12.53 or newer and MB-Secure PRO to V03.09 or newer, and to obtain the most recent version of the affected product; further details appear in the vendor's security notices and the associated full-disclosure mailing-list post.
The EPSS score has remained flat at 0.0191 with no material rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-13247
Vulnerability details
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Honeywell MB-Secure allows Privilege Abuse. This issue affects MB-Secure: from V11.04 before V12.53 and MB-Secure PRO from V01.06 before V03.09.Honeywell also recommends updating to the…
more
most recent version of this product.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.