Cyber Resilience

CVE-2025-2605

CriticalRCE

Published: 02 May 2025

Published
02 May 2025
Modified
17 May 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0191 83.7th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2605 is a critical-severity OS Command Injection (CWE-78) vulnerability in Honeywell Mb-Secure Firmware. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 16.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is an OS command injection flaw, tracked as CWE-78, that permits privilege abuse in Honeywell MB-Secure. It affects MB-Secure versions from V11.04 before V12.53 and MB-Secure PRO versions from V01.06 before V03.09, carrying a CVSS 3.1 score of 9.9.

An attacker with low-privileged network access and no user interaction required can inject operating-system commands, resulting in full compromise of confidentiality, integrity, and availability with scope extension beyond the vulnerable component.

Honeywell directs customers to update MB-Secure to V12.53 or newer and MB-Secure PRO to V03.09 or newer, and to obtain the most recent version of the affected product; further details appear in the vendor's security notices and the associated full-disclosure mailing-list post.

The EPSS score has remained flat at 0.0191 with no material rise after disclosure.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Honeywell MB-Secure allows Privilege Abuse. This issue affects MB-Secure: from V11.04 before V12.53 and MB-Secure PRO from V01.06 before V03.09.Honeywell also recommends updating to the…

more

most recent version of this product.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

honeywell
mb-secure firmware
11.04 — 12.53
honeywell
mb-secure pro firmware
01.06 — 03.09

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References