CVE-2025-3947

High

Published: 10 July 2025

Published

10 July 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

EPSS Score 0.0037 58.8th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-3947 is a high-severity Wrap or Wraparound (CWE-191) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the integer underflow vulnerability by requiring timely remediation through patching to Honeywell Experion PKS versions 520.2 TCU9 HF1 or 530.1 TCU3 HF1.

SI-10 Information Input Validation good match

prevent

Prevents exploitation of the vulnerability by validating inputs to the Control Data Access component, blocking manipulated data that triggers integer underflow during subtraction.

SC-5 Denial-of-service Protection partial match

prevent

Provides protection against the denial-of-service resulting from the improper integer data value checking caused by the underflow exploit.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Remote network-accessible integer underflow in CDA component directly enables exploitation of public-facing ICS service for DoS via crafted input manipulation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

The Honeywell Experion PKS contains an Integer Underflow vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to Input Data Manipulation, which could result in improper integer data value checking during subtraction leading…

to a denial of service. Honeywell recommends updating to the most recent version of Honeywell Experion PKS:520.2 TCU9 HF1 and 530.1 TCU3 HF1. The affected Experion PKS products are C300 PCNT02, C300 PCNT05, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E. The Experion PKS versions affected are from 520.1 through 520.2 TCU9 and from 530 through 530 TCU3.

Deeper analysisAI

CVE-2025-3947 is an Integer Underflow vulnerability (CWE-191) in the Control Data Access (CDA) component of Honeywell Experion PKS. It affects the products C300 PCNT02, C300 PCNT05, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E in versions from 520.1 through 520.2 TCU9 and from 530 through 530 TCU3.

The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H), indicating it is exploitable remotely over the network with low complexity, no privileges, and no user interaction required. An attacker could exploit it to perform input data manipulation, resulting in improper integer data value checking during subtraction and potentially leading to a denial of service.

Honeywell advisories recommend updating to the latest versions, specifically Experion PKS 520.2 TCU9 HF1 and 530.1 TCU3 HF1, to mitigate the vulnerability. Additional details are available at https://process.honeywell.com/.