CVE-2025-2523 is a critical integer underflow vulnerability (CWE-191) identified in Honeywell's Experion PKS and OneWireless WDM industrial control system components, specifically within the Control Data Access (CDA) module. The affected products include Experion PKS versions 520.1 through 520.2 TCU9 and 530 through 530 TCU3, and OneWireless WDM versions 322.1 through 322.4 and 330.1 through 330.3. The impacted hardware includes C300 PCNT02, C300 PCNT05, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E. The vulnerability arises from an integer underflow condition during a subtraction operation, which can be exploited remotely without authentication or user interaction. This flaw can lead to communication channel manipulation, potentially allowing an attacker to execute arbitrary code remotely. The CVSS v3.1 base score is 9.4, reflecting high impact on integrity and availability with low attack complexity and no privileges required. Honeywell recommends updating to the latest patched versions: Experion PKS 520.2 TCU9 HF1, 530.1 TCU3 HF1, and OneWireless 322.5 and 331.1. No known exploits are currently reported in the wild, but the critical nature and ease of exploitation make timely patching essential. This vulnerability poses a significant risk to industrial control systems that manage critical infrastructure processes, potentially leading to operational disruption, safety hazards, and data integrity compromise.

For European organizations, especially those operating critical infrastructure such as energy, manufacturing, water treatment, and transportation sectors, this vulnerability presents a severe risk. Honeywell's Experion PKS and OneWireless systems are widely deployed in industrial environments across Europe. Exploitation could lead to unauthorized remote code execution, resulting in manipulation or disruption of communication channels within control systems. This could cause process failures, safety incidents, production downtime, and potential cascading effects on supply chains. The integrity and availability of industrial operations could be compromised, leading to financial losses, regulatory penalties, and damage to reputation. Given the criticality of these systems in national infrastructure, successful exploitation could also have broader societal impacts. The lack of required privileges or user interaction lowers the barrier for attackers, increasing the likelihood of targeted attacks or opportunistic exploitation by threat actors.

European organizations should prioritize immediate patching by upgrading to the Honeywell recommended versions: Experion PKS 520.2 TCU9 HF1, 530.1 TCU3 HF1, and OneWireless 322.5 and 331.1. In parallel, implement network segmentation to isolate affected control systems from general IT networks and limit exposure to external networks. Employ strict access controls and monitoring on communication channels to detect anomalous activities indicative of exploitation attempts. Utilize intrusion detection and prevention systems tailored for industrial protocols to identify manipulation attempts. Conduct thorough audits of existing Honeywell system versions and maintain an up-to-date asset inventory. Establish incident response plans specific to industrial control system compromises. Additionally, restrict remote access to these systems using VPNs with multi-factor authentication and monitor logs for unusual behavior. Regularly train operational technology (OT) staff on this vulnerability and best practices for secure system management. Finally, collaborate with Honeywell support for guidance and verify patch integrity before deployment to avoid operational disruptions.