Skip to main content

CVE-2025-2523: CWE-191 Integer Underflow (Wrap or Wraparound) in Honeywell C300 PCNT02

Critical
VulnerabilityCVE-2025-2523cvecve-2025-2523cwe-191
Published: Thu Jul 10 2025 (07/10/2025, 20:15:32 UTC)
Source: CVE Database V5
Vendor/Project: Honeywell
Product: C300 PCNT02

Description

The Honeywell Experion PKS and OneWireless WDM contains an Integer Underflow vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to a Communication Channel Manipulation, which could result in a failure during subtraction allowing remote code execution. Honeywell recommends updating to the most recent version of Honeywell Experion PKS:520.2 TCU9 HF1 and 530.1 TCU3 HF1 and OneWireless: 322.5 and 331.1. The affected Experion PKS products are C300 PCNT02, C300 PCNT05, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E. The Experion PKS versions affected are from 520.1 through 520.2 TCU9 and from 530 through 530 TCU3. The OneWireless WDM affected versions are 322.1 through 322.4 and 330.1 through 330.3.

AI-Powered Analysis

AILast updated: 07/10/2025, 20:46:46 UTC

Technical Analysis

CVE-2025-2523 is a critical integer underflow vulnerability (CWE-191) identified in Honeywell's Experion PKS and OneWireless WDM industrial control system components, specifically within the Control Data Access (CDA) module. The flaw arises from an integer underflow during a subtraction operation, which can cause wraparound behavior leading to unexpected values. This vulnerability affects multiple Experion PKS products including C300 PCNT02, C300 PCNT05, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E, across versions 520.1 through 520.2 TCU9 and 530 through 530 TCU3, as well as OneWireless WDM versions 322.1 through 322.4 and 330.1 through 330.3. Exploitation requires no authentication or user interaction and can be performed remotely over the network. Successful exploitation could allow an attacker to manipulate communication channels, potentially leading to remote code execution. This could disrupt industrial control processes by compromising the confidentiality, integrity, and availability of critical operational data and control commands. Honeywell has recommended updating to the latest patched versions: Experion PKS 520.2 TCU9 HF1, 530.1 TCU3 HF1, and OneWireless 322.5 and 331.1 to remediate this issue. The CVSS v3.1 base score of 9.4 reflects the high severity, with low attack complexity, no privileges required, and no user interaction needed, emphasizing the critical risk posed to industrial environments relying on these systems.

Potential Impact

For European organizations operating industrial control systems (ICS) or critical infrastructure using Honeywell Experion PKS and OneWireless WDM products, this vulnerability poses a significant threat. Exploitation could lead to unauthorized remote code execution, allowing attackers to manipulate or disrupt industrial processes, potentially causing physical damage, safety incidents, or operational downtime. The confidentiality of sensitive operational data could be compromised, while integrity and availability of control commands may be severely impacted, undermining trust in automation systems. Given the widespread use of Honeywell ICS solutions in sectors such as energy, manufacturing, utilities, and transportation across Europe, the potential impact includes financial losses, regulatory penalties, and risks to public safety. The ability to exploit this vulnerability remotely without authentication increases the attack surface, making it attractive for threat actors targeting European critical infrastructure. Additionally, disruption of these systems could have cascading effects on supply chains and essential services, amplifying the overall impact.

Mitigation Recommendations

European organizations should prioritize immediate patching by upgrading to the Honeywell recommended versions: Experion PKS 520.2 TCU9 HF1, 530.1 TCU3 HF1, and OneWireless 322.5 and 331.1. Until patches are applied, network segmentation should be enforced to isolate vulnerable ICS components from general enterprise networks and the internet, minimizing exposure. Implement strict access controls and monitoring on communication channels to detect anomalous traffic patterns indicative of exploitation attempts. Employ intrusion detection and prevention systems (IDS/IPS) tailored for ICS protocols to identify and block malicious activities targeting the CDA component. Conduct thorough audits of all Honeywell ICS assets to ensure no outdated versions remain in operation. Establish incident response plans specific to ICS environments to rapidly contain and remediate any exploitation. Collaborate with Honeywell support and cybersecurity vendors specializing in ICS security for guidance and advanced threat detection capabilities. Finally, maintain continuous security awareness training for operational technology (OT) personnel to recognize signs of compromise related to this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Honeywell
Date Reserved
2025-03-19T13:57:31.419Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6870230ba83201eaaca9b87e

Added to database: 7/10/2025, 8:31:07 PM

Last enriched: 7/10/2025, 8:46:46 PM

Last updated: 7/11/2025, 11:49:18 AM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats