CVE-2025-2521
published 2025-07-10CVE-2025-2521: The Honeywell Experion PKS and OneWireless WDM contains a Memory Buffer vulnerability in the component Control Data Access (CDA). An attacker could potentially…
PriorityP357high8.6CVSS 3.1
AVNACLPRNUINSUCLILAH
EPSS
0.42%
33.9th percentile
The Honeywell Experion PKS and OneWireless WDM contains a Memory Buffer vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to an Overread Buffers, which could result in improper index validation against buffer borders leading to remote code execution.
Honeywell recommends updating to the most recent version of Honeywell Experion PKS:
520.2 TCU9 HF1 and 530.1 TCU3 HF1 and OneWireless: 322.5 and 331.1.
The affected Experion PKS products are C300 PCNT02, C300 PCNT05, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E. The Experion PKS versions affected are from 520.1 through 520.2 TCU9 and from 530 through 530 TCU3.The OneWireless WDM affected versions are 322.1 through 322.4 and 330.1 through 330.3.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| honeywell | c200e | 520.1 – 520.2 TCU9 | — |
| honeywell | c200e | 530 – 530 TCU3 | — |
| honeywell | c300_pcnt02 | 520.1 – 520.2 TCU9 | — |
| honeywell | c300_pcnt02 | 530 – 530 TCU3 | — |
| honeywell | c300_pcnt05 | 520.1 – 520.2 TCU9 | — |
| honeywell | c300_pcnt05 | 530 – 530 TCU3 | — |
| honeywell | c300pm | 520.1 – 520.2 TCU9 | — |
| honeywell | c300pm | 530 – 530 TCU3 | — |
| honeywell | cn100 | 520.1 – 520.2 TCU9 | — |
| honeywell | cn100 | 530 – 530 TCU3 | — |
| honeywell | fim4 | 520.1 – 520.2 TCU9 | — |
| honeywell | fim4 | 530 – 530 TCU3 | — |
| honeywell | fim8 | 520.1 – 520.2 TCU9 | — |
| honeywell | fim8 | 530 – 530 TCU3 | — |
| honeywell | hca | 520.1 – 520.2 TCU9 | — |
| honeywell | hca | 530 – 530 TCU3 | — |
| honeywell | uoc | 520.1 – 520.2 TCU9 | — |
| honeywell | uoc | 530 – 530 TCU3 | — |
| honeywell | wireless_device_manager | 322.1 – 322.4 | — |
| honeywell | wireless_device_manager | 330.1 – 330.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability resides in the Control Data Access (CDA) component of Honeywell OneWireless WDM and Experion PKS; network-based exploitation (AV:N) with no authentication required (PR:N) and no user interaction (UI:N) — monitor for anomalous unauthenticated network traffic targeting CDA service endpoints on affected ICS devices ↗
- →Affected products include C300 PCNT02, C300 PCNT05, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E running Experion PKS 520.1–520.2 TCU9 or 530–530 TCU3, and OneWireless WDM 322.1–322.4 or 330.1–330.3; inventory and flag any of these unpatched devices for priority monitoring ↗
- →Exploitation is remotely achievable with low attack complexity and no privileges; alert on unexpected inbound connections to ICS/OT network segments hosting WDM or Experion PKS nodes, especially from non-engineering workstation sources ↗
- ·No public exploit code or active in-the-wild exploitation has been confirmed for CVE-2025-2521 at time of advisory publication ↗
- ·The advisory covers four distinct CVEs (CVE-2025-2521, CVE-2025-2522, CVE-2025-2523, CVE-2025-3946) all in the same CDA component; detections built for CVE-2025-2521 (buffer overread) may overlap with but should not be assumed to cover the integer underflow (CVE-2025-2523) or wrong-handler (CVE-2025-3946) variants ↗
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Honeywell OneWireless Wireless Device Manager (WDM)
cisa_ics·2025-09-04·CVSS 8.6
[HIGH] Honeywell OneWireless Wireless Device Manager (WDM)
ICS Advisory
##
Honeywell OneWireless Wireless Device Manager (WDM)
Release DateSeptember 04, 2025
Alert CodeICSA-25-247-01
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 8.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Honeywell
- Equipment: OneWireless Wireless Device Manager (WDM)
- Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer, Sensitive Information in Resource Not Removed Before Reuse, Integer Underflow (Wrap or Wraparound), Deployment of Wrong Handler
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in information exposure, denial of service, or remote code execution.
CISA ICS
Honeywell Experion PKS (Update A)
cisa_ics·2025-09-04·CVSS 7.5
[HIGH] Honeywell Experion PKS (Update A)
ICS Advisory
##
Honeywell Experion PKS (Update A)
Last RevisedSeptember 04, 2025
Alert CodeICSA-25-205-03
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.4
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Honeywell
- Equipment: Experion PKS
- Vulnerabilities: Use of Uninitialized Variable, Improper Restriction of Operations within the Bounds of a Memory Buffer, Sensitive Information in Resource Not Removed Before Reuse, Integer Underflow (Wrap or Wraparound), Deployment of Wrong Handler
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in information exposure, denial of service, or remote code execution.
## 3. TECHNICAL
Red Hat
kernel: f2fs: fix to do sanity check on sbi->total_valid_block_count
vendor_redhat·2025-07-03·CVSS 5.5
CVE-2025-38163 [MEDIUM] kernel: f2fs: fix to do sanity check on sbi->total_valid_block_count
kernel: f2fs: fix to do sanity check on sbi->total_valid_block_count
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to do sanity check on sbi->total_valid_block_count
syzbot reported a f2fs bug as below:
------------[ cut here ]------------
kernel BUG at fs/f2fs/f2fs.h:2521!
RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521
Call Trace:
f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695
truncate_dnode+0x417/0x740 fs/f2fs/node.c:973
truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014
f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197
f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810
f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838
f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888
f2fs_setattr+0xc4f/0x12f0 fs/f2fs/file.c:1112
GHSA
GHSA-jhch-7xr2-xm3c: The Honeywell Experion PKS and OneWireless WDM contains a Memory Buffer vulnerability in the component Control Data Access (CDA)
ghsa_unreviewed·2025-07-10
CVE-2025-2521 [HIGH] CWE-119 GHSA-jhch-7xr2-xm3c: The Honeywell Experion PKS and OneWireless WDM contains a Memory Buffer vulnerability in the component Control Data Access (CDA)
The Honeywell Experion PKS and OneWireless WDM contains a Memory Buffer vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to an Overread Buffers, which could result in improper index validation against buffer borders leading to remote code execution.
Honeywell recommends updating to the most recent version of Honeywell Experion PKS:
520.2 TCU9 HF1 and 530.1 TCU3 HF1 and OneWireless: 322.5 and 331.1.
The affected Experion PKS products are C300 PCNT02, C300 PCNT05, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E. The Experion PKS versions affected are from 520.1 through 520.2 TCU9 and from 530 through 530 TCU3.The OneWireless WDM affected versions are 322.1 through 322.4 and 330.1 through 330.3.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-38163 kernel: f2fs: fix to do sanity check on sbi->total_valid_block_count
bugzilla·2025-07-03·CVSS 5.5
CVE-2025-38163 [MEDIUM] CVE-2025-38163 kernel: f2fs: fix to do sanity check on sbi->total_valid_block_count
CVE-2025-38163 kernel: f2fs: fix to do sanity check on sbi->total_valid_block_count
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to do sanity check on sbi->total_valid_block_count
syzbot reported a f2fs bug as below:
------------[ cut here ]------------
kernel BUG at fs/f2fs/f2fs.h:2521!
RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521
Call Trace:
f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695
truncate_dnode+0x417/0x740 fs/f2fs/node.c:973
truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014
f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197
f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810
f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838
f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888
f2fs_setattr+0xc4f/0x12f0 fs
Bugzilla
CVE-2025-0624 grub2: net: Out-of-bounds write in grub_net_search_config_file()
bugzilla·2025-02-17·CVSS 7.6
CVE-2025-0624 [HIGH] CVE-2025-0624 grub2: net: Out-of-bounds write in grub_net_search_config_file()
CVE-2025-0624 grub2: net: Out-of-bounds write in grub_net_search_config_file()
During the network boot process when trying to search for the configuration file, grub copies data from a user controlled environment variable into an internal buffer using grub_strcpy() function. During this step it fails to consider the environment variable length when allocating the internal buffer, resulting in a out-of-bounds write. If correctly exploited this issue may result in remote code execution through the same network segment the grub is searching for the boot information, which can be used to by-pass secure boot protections.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8.8 Extended Update Support
Via RHSA-2025:2521 https://access.redhat.com/erra
2025-07-10
Published