Honeywell Experion PKS (Update A)

Act Now9.4ICS-CERT ICSA-25-205-03Jul 24, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in Honeywell Experion PKS versions R520.2 TCU9 Hot Fix 1 and R530 TCU3 Hot Fix 1. These include uninitialized variables (CWE-457), buffer issues (CWE-119), missing validation (CWE-226), and integer underflow (CWE-191). Successful exploitation could result in information disclosure, denial of service, or remote code execution on the control system without authentication.

What this means

What could happen

An attacker with network access to Experion PKS could extract sensitive data, disrupt operations, or gain remote control of the process control system, potentially altering setpoints or stopping critical plant processes.

Who's at risk

Operators and engineers managing Honeywell Experion PKS process control systems at oil and gas, chemical, refining, and power generation facilities should prioritize this immediately. This affects the core process safety system and any disruption or compromise could impact production safety and operations.

How it could be exploited

An attacker on the network sends a crafted message to a vulnerable Experion PKS server. The vulnerability allows code execution without authentication, giving the attacker command-line access to the control system.

Prerequisites

Network access to Experion PKS server over the network
No credentials required

Remotely exploitableNo authentication requiredLow complexityNo patch availableAffects process control system

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

Experion PKS: <R520.2_TCU9_Hot_Fix_1<R520.2 TCU9 Hot Fix 1No fix yet

Experion PKS: <R530_TCU3_Hot_Fix_1<R530 TCU3 Hot Fix 1No fix yet

Remediation & Mitigation

0/5

Do now

0/4

WORKAROUNDRestrict network access to Experion PKS to authorized engineering workstations only using firewall rules; block all inbound connections from the Internet and untrusted networks

HARDENINGIsolate the Experion PKS network segment from business networks and the Internet using a demilitarized zone (DMZ) or air-gapped architecture

HARDENINGImplement virtual private network (VPN) with multi-factor authentication for any required remote access to Experion PKS

HARDENINGApply least-privilege access controls; ensure only authorized personnel have credentials to access the control system

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Honeywell for available security patches or updated firmware beyond TCU9 Hot Fix 1 (R520.2) or TCU3 Hot Fix 1 (R530) and schedule patching during a maintenance window

CVEs (6)

CVE-2025-2520 CVE-2025-2521 CVE-2025-2522 CVE-2025-2523 CVE-2025-3946 CVE-2025-3947

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/305b48cf-0507-42b8-9548-4293c43425b0