CVE-2025-2520 Honeywell CVE debrief

Who should care

OT and ICS operators, control engineers, and security teams responsible for Honeywell Experion PKS deployments, especially environments running versions earlier than R520.2 TCU9 Hot Fix 1 or R530 TCU3 Hot Fix 1.

Technical summary

The advisory describes an uninitialized variable in common EPA communications. If exploited, communication channel manipulation can lead to dereferencing of an uninitialized pointer and a denial of service. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network-reachable, unauthenticated impact focused on availability.

Defensive priority

High — the issue is network-reachable, requires no privileges or user interaction, and can disrupt ICS availability. Treat patching as a priority maintenance item for affected Experion PKS assets.

Recommended defensive actions

• Upgrade affected Honeywell Experion PKS systems to R520.2 TCU9 Hot Fix 1 or R530 TCU3 Hot Fix 1.
• Inventory Experion PKS assets to identify any systems running versions earlier than the affected fixed releases.
• Review Honeywell Security Notice SN2025 and coordinate maintenance windows before applying the update.
• Apply CISA-recommended ICS defense-in-depth practices, including network segmentation and limiting exposure of control-system communications to trusted networks.
• Validate backups, rollback plans, and post-update service behavior after remediation.

Evidence notes

Source data shows CISA CSAF advisory ICSA-25-205-03 for CVE-2025-2520, published 2025-07-24 and modified 2025-08-04 (Update A added researcher names). The advisory lists two affected Honeywell Experion PKS product entries: <R520.2_TCU9_Hot_Fix_1 and <R530_TCU3_Hot_Fix_1. The supplied CVSS is 7.5 (HIGH) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. No KEV entry or known ransomware use is provided in the supplied corpus.

Official resources