CVE-2025-2523: CWE-191 Integer Underflow (Wrap or Wraparound) in Honeywell C300 PCNT02
The Honeywell Experion PKS and OneWireless WDM contains an Integer Underflow vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to a Communication Channel Manipulation, which could result in a failure during subtraction allowing remote code execution. Honeywell recommends updating to the most recent version of Honeywell Experion PKS:520.2 TCU9 HF1 and 530.1 TCU3 HF1 and OneWireless: 322.5 and 331.1. The affected Experion PKS products are C300 PCNT02, C300 PCNT05, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E. The Experion PKS versions affected are from 520.1 through 520.2 TCU9 and from 530 through 530 TCU3. The OneWireless WDM affected versions are 322.1 through 322.4 and 330.1 through 330.3.
AI Analysis
Technical Summary
CVE-2025-2523 is a critical integer underflow vulnerability (CWE-191) identified in Honeywell's Experion PKS and OneWireless WDM industrial control system components, specifically within the Control Data Access (CDA) module. The flaw arises from an integer underflow during a subtraction operation, which can cause wraparound behavior leading to unexpected values. This vulnerability affects multiple Experion PKS products including C300 PCNT02, C300 PCNT05, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E, across versions 520.1 through 520.2 TCU9 and 530 through 530 TCU3, as well as OneWireless WDM versions 322.1 through 322.4 and 330.1 through 330.3. Exploitation requires no authentication or user interaction and can be performed remotely over the network. Successful exploitation could allow an attacker to manipulate communication channels, potentially leading to remote code execution. This could disrupt industrial control processes by compromising the confidentiality, integrity, and availability of critical operational data and control commands. Honeywell has recommended updating to the latest patched versions: Experion PKS 520.2 TCU9 HF1, 530.1 TCU3 HF1, and OneWireless 322.5 and 331.1 to remediate this issue. The CVSS v3.1 base score of 9.4 reflects the high severity, with low attack complexity, no privileges required, and no user interaction needed, emphasizing the critical risk posed to industrial environments relying on these systems.
Potential Impact
For European organizations operating industrial control systems (ICS) or critical infrastructure using Honeywell Experion PKS and OneWireless WDM products, this vulnerability poses a significant threat. Exploitation could lead to unauthorized remote code execution, allowing attackers to manipulate or disrupt industrial processes, potentially causing physical damage, safety incidents, or operational downtime. The confidentiality of sensitive operational data could be compromised, while integrity and availability of control commands may be severely impacted, undermining trust in automation systems. Given the widespread use of Honeywell ICS solutions in sectors such as energy, manufacturing, utilities, and transportation across Europe, the potential impact includes financial losses, regulatory penalties, and risks to public safety. The ability to exploit this vulnerability remotely without authentication increases the attack surface, making it attractive for threat actors targeting European critical infrastructure. Additionally, disruption of these systems could have cascading effects on supply chains and essential services, amplifying the overall impact.
Mitigation Recommendations
European organizations should prioritize immediate patching by upgrading to the Honeywell recommended versions: Experion PKS 520.2 TCU9 HF1, 530.1 TCU3 HF1, and OneWireless 322.5 and 331.1. Until patches are applied, network segmentation should be enforced to isolate vulnerable ICS components from general enterprise networks and the internet, minimizing exposure. Implement strict access controls and monitoring on communication channels to detect anomalous traffic patterns indicative of exploitation attempts. Employ intrusion detection and prevention systems (IDS/IPS) tailored for ICS protocols to identify and block malicious activities targeting the CDA component. Conduct thorough audits of all Honeywell ICS assets to ensure no outdated versions remain in operation. Establish incident response plans specific to ICS environments to rapidly contain and remediate any exploitation. Collaborate with Honeywell support and cybersecurity vendors specializing in ICS security for guidance and advanced threat detection capabilities. Finally, maintain continuous security awareness training for operational technology (OT) personnel to recognize signs of compromise related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden, Poland, Czech Republic
CVE-2025-2523: CWE-191 Integer Underflow (Wrap or Wraparound) in Honeywell C300 PCNT02
Description
The Honeywell Experion PKS and OneWireless WDM contains an Integer Underflow vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to a Communication Channel Manipulation, which could result in a failure during subtraction allowing remote code execution. Honeywell recommends updating to the most recent version of Honeywell Experion PKS:520.2 TCU9 HF1 and 530.1 TCU3 HF1 and OneWireless: 322.5 and 331.1. The affected Experion PKS products are C300 PCNT02, C300 PCNT05, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E. The Experion PKS versions affected are from 520.1 through 520.2 TCU9 and from 530 through 530 TCU3. The OneWireless WDM affected versions are 322.1 through 322.4 and 330.1 through 330.3.
AI-Powered Analysis
Technical Analysis
CVE-2025-2523 is a critical integer underflow vulnerability (CWE-191) identified in Honeywell's Experion PKS and OneWireless WDM industrial control system components, specifically within the Control Data Access (CDA) module. The flaw arises from an integer underflow during a subtraction operation, which can cause wraparound behavior leading to unexpected values. This vulnerability affects multiple Experion PKS products including C300 PCNT02, C300 PCNT05, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E, across versions 520.1 through 520.2 TCU9 and 530 through 530 TCU3, as well as OneWireless WDM versions 322.1 through 322.4 and 330.1 through 330.3. Exploitation requires no authentication or user interaction and can be performed remotely over the network. Successful exploitation could allow an attacker to manipulate communication channels, potentially leading to remote code execution. This could disrupt industrial control processes by compromising the confidentiality, integrity, and availability of critical operational data and control commands. Honeywell has recommended updating to the latest patched versions: Experion PKS 520.2 TCU9 HF1, 530.1 TCU3 HF1, and OneWireless 322.5 and 331.1 to remediate this issue. The CVSS v3.1 base score of 9.4 reflects the high severity, with low attack complexity, no privileges required, and no user interaction needed, emphasizing the critical risk posed to industrial environments relying on these systems.
Potential Impact
For European organizations operating industrial control systems (ICS) or critical infrastructure using Honeywell Experion PKS and OneWireless WDM products, this vulnerability poses a significant threat. Exploitation could lead to unauthorized remote code execution, allowing attackers to manipulate or disrupt industrial processes, potentially causing physical damage, safety incidents, or operational downtime. The confidentiality of sensitive operational data could be compromised, while integrity and availability of control commands may be severely impacted, undermining trust in automation systems. Given the widespread use of Honeywell ICS solutions in sectors such as energy, manufacturing, utilities, and transportation across Europe, the potential impact includes financial losses, regulatory penalties, and risks to public safety. The ability to exploit this vulnerability remotely without authentication increases the attack surface, making it attractive for threat actors targeting European critical infrastructure. Additionally, disruption of these systems could have cascading effects on supply chains and essential services, amplifying the overall impact.
Mitigation Recommendations
European organizations should prioritize immediate patching by upgrading to the Honeywell recommended versions: Experion PKS 520.2 TCU9 HF1, 530.1 TCU3 HF1, and OneWireless 322.5 and 331.1. Until patches are applied, network segmentation should be enforced to isolate vulnerable ICS components from general enterprise networks and the internet, minimizing exposure. Implement strict access controls and monitoring on communication channels to detect anomalous traffic patterns indicative of exploitation attempts. Employ intrusion detection and prevention systems (IDS/IPS) tailored for ICS protocols to identify and block malicious activities targeting the CDA component. Conduct thorough audits of all Honeywell ICS assets to ensure no outdated versions remain in operation. Establish incident response plans specific to ICS environments to rapidly contain and remediate any exploitation. Collaborate with Honeywell support and cybersecurity vendors specializing in ICS security for guidance and advanced threat detection capabilities. Finally, maintain continuous security awareness training for operational technology (OT) personnel to recognize signs of compromise related to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Honeywell
- Date Reserved
- 2025-03-19T13:57:31.419Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6870230ba83201eaaca9b87e
Added to database: 7/10/2025, 8:31:07 PM
Last enriched: 7/10/2025, 8:46:46 PM
Last updated: 7/11/2025, 11:49:18 AM
Views: 14
Related Threats
CVE-2025-6788: CWE-668 Exposure of Resource to Wrong Sphere in Schneider Electric EcoStruxure Power Monitoring Expert (PME)
MediumCVE-2025-50125: CWE-918 Server-Side Request Forgery (SSRF) in Schneider Electric EcoStruxure IT Data Center Expert
MediumCVE-2025-50124: CWE-269 Improper Privilege Management in Schneider Electric EcoStruxure IT Data Center Expert
HighPatch, track, repeat
MediumCVE-2025-50123: CWE-94 Improper Control of Generation of Code ('Code Injection') in Schneider Electric EcoStruxure IT Data Center Expert
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.