1. EXECUTIVE SUMMARY
- CVSS v3 9.4
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Honeywell
- Equipment: Experion PKS
- Vulnerabilities: Use of Uninitialized Variable, Improper Restriction of Operations within the Bounds of a Memory Buffer, Sensitive Information in Resource Not Removed Before Reuse, Integer Underflow (Wrap or Wraparound), Deployment of Wrong Handler
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in information exposure, denial of service, or remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Honeywell reports these vulnerabilities affect the following:
- Experion PKS: All releases prior to R520.2 TCU9 Hot Fix 1
- Experion PKS: All releases prior to R530 TCU3 Hot Fix 1
3.2 Vulnerability Overview
3.2.1 Use of Uninitialized Variable CWE-457
The Honeywell Experion PKS contains an uninitialized variable in the common Epic Platform Analyzer (EPA) communications. An attacker could potentially exploit this vulnerability, leading to communication channel manipulation, which results in a dereferencing of an uninitialized pointer leading to a denial of service.
CVE-2025-2520 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
3.2.2 Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-119
The Honeywell Experion PKS contains a memory buff
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: