What security vulnerabilities has Honeywell reported in Experion PKS?

Honeywell has reported multiple security vulnerabilities affecting its Experion Process Knowledge System (PKS), a distributed control system that manages complex industrial processes. Six vulnerabilities have been identified with CVSS scores ranging from 6.5 to 9.4, including integer underflow issues, memory buffer restrictions, improper packet handling, and uninitialized variable usage.

What is the most critical vulnerability affecting Experion PKS?

The most critical vulnerability is CVE-2025-2523 with a CVSS score of 9.4. This is an Integer Underflow vulnerability affecting the Control Data Access component that enables remote code execution through arithmetic operation failures, representing the highest severity risk in the reported vulnerabilities.

Which Experion PKS versions are vulnerable to these security flaws?

The security vulnerabilities impact two major release branches of Honeywell Experion PKS: all installations running releases prior to R520.2 TCU9 Hot Fix 1, and all systems using releases prior to R530 TCU3 Hot Fix 1.

What types of attacks can these vulnerabilities enable?

These vulnerabilities can enable various types of attacks including remote code execution (CVE-2025-2523, CVE-2025-2521, CVE-2025-3946), denial of service attacks (CVE-2025-3947, CVE-2025-2520), and incorrect system behavior through buffer reuse (CVE-2025-2522). The remote code execution vulnerabilities are particularly concerning as they could allow attackers to take control of industrial control systems.

Which system components are most affected by these vulnerabilities?

The Control Data Access component is most affected, with five out of six vulnerabilities (CVE-2025-2523, CVE-2025-2521, CVE-2025-3946, CVE-2025-3947, CVE-2025-2522) impacting this critical system component. One vulnerability (CVE-2025-2520) affects the Epic Platform Analyzer communications component.

What additional security measures should organizations implement?

Organizations should ensure all control system devices follow least-privilege access principles, minimize network exposure, and isolate systems from the internet. These network-level protections are crucial for industrial control systems and provide additional defense layers beyond patching.

Are these vulnerabilities being actively exploited?

Currently, no evidence of active exploitation targeting these specific vulnerabilities has been reported to CISA (Cybersecurity and Infrastructure Security Agency). However, given the critical nature of industrial control systems and the high CVSS scores, organizations should prioritize applying these security updates immediately.

What are the technical details of the buffer and memory-related vulnerabilities?

CVE-2025-2521 involves Improper Memory Buffer Restriction affecting the Control Data Access component, potentially leading to remote code execution through buffer overread conditions. CVE-2025-2522 is related to Sensitive Information in Resource Not Removed Before Reuse, affecting the same component and causing incorrect system behavior through buffer reuse. CVE-2025-2520 involves Use of Uninitialized Variable affecting Epic Platform Analyzer communications, enabling denial of service through uninitialized pointer dereferencing.

Why are these vulnerabilities particularly concerning for industrial environments?

These vulnerabilities are particularly concerning because Honeywell Experion PKS is a distributed control system that manages complex industrial processes in critical infrastructure environments. Successful exploitation could potentially disrupt industrial operations, compromise safety systems, or provide attackers with control over critical industrial processes, making immediate patching essential for operational security and safety.

Advisory

Multiple flaws reported in Honeywell Experion PKS, at least one critical

published: July 24, 2025

Take action: If you have Honeywell Experion PKS industrial control systems, first make sure they are isolated from the internet and accessible from trusted networks. Then plan an update to R520.2 TCU9 Hot Fix 1 or R530 TCU3 Hot Fix 1 (depending on your version).

Learn More

Honeywell is reporting multiple security vulnerabilities affecting its Experion Process Knowledge System (PKS).

Honeywell Experion PKS is a distributed control system that manages complex industrial processes.

Identified Vulnerabilities:

CVE-2025-2523 (CVSS score 9.4) - Integer Underflow vulnerability affecting Control Data Access component, enabling remote code execution through arithmetic operation failures
CVE-2025-2521 (CVSS score 8.6) - Improper Memory Buffer Restriction affecting Control Data Access component, potentially leading to remote code execution through buffer overread conditions
CVE-2025-3946 (CVSS score 8.2) - Deployment of Wrong Handler affecting Control Data Access component, leading to remote code execution through improper packet handling
CVE-2025-3947 (CVSS score 8.2) - Integer Underflow vulnerability affecting Control Data Access component, causing denial of service through improper integer validation
CVE-2025-2520 (CVSS score 7.5) - Use of Uninitialized Variable affecting Epic Platform Analyzer communications, enabling denial of service through uninitialized pointer dereferencing
CVE-2025-2522 (CVSS score 6.5) - Sensitive Information in Resource Not Removed Before Reuse affecting Control Data Access component, causing incorrect system behavior through buffer reuse

The security vulnerabilities impact two major release branches of Honeywell Experion PKS:

All installations running releases prior to R520.2 TCU9 Hot Fix 1
all systems using releases prior to R530 TCU3 Hot Fix 1

Honeywell has released security updates for all identified vulnerabilities. Organizations running Experion PKS installations should upgrade to either R520.2 TCU9 Hot Fix 1 for systems running the R520 release branch or R530 TCU3 Hot Fix 1 for installations using the R530 release branch.

Organizations should also make sure all control system devices follow least-privilege access principles, minimize network exposure and isolate from the internet.

Currently, no evidence of active exploitation targeting these specific vulnerabilities has been reported to CISA.

Multiple flaws reported in Honeywell Experion PKS, at least one critical

Read More
Siemens Fixes Vulnerabilities in Ruggedcom as well as …
Advantech patches maximum-severity SQL injection flaw in IoT …
Multiple vulnerabilities reported in AutomationDirect Productivity Suite and …
Critical cross-site scripting flaw reported in Checkmk Monitoring …
QNAP patches multible security vulnerabilities in legacy VioStor …