Honeywell Experion PKS (Update A)

Plan PatchCVSS 9.4ICS-CERT ICSA-25-205-03Jul 24, 2025

Honeywell

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple memory safety and input validation vulnerabilities in Honeywell Experion PKS could allow remote code execution, denial of service, or information disclosure. Affected versions are R520.2 TCU9 Hot Fix 1 and R530 TCU3 Hot Fix 1. Honeywell has not released a vendor patch for these versions and recommends upgrading to a later version when available.

What this means

What could happen

An attacker with network access to Experion PKS could execute commands on the process control system, alter setpoints, stop operations, or extract sensitive process data. Impacts could range from unplanned shutdowns to environmental release or safety system bypass.

Who's at risk

Water utilities, refineries, petrochemical plants, and other process industries using Honeywell Experion PKS distributed control systems (DCS) for process automation and monitoring. Affects R520.2 and R530 versions.

How it could be exploited

An attacker with network access to an unpatched Experion PKS system can exploit memory safety and input validation flaws to execute arbitrary code or crash the system. The vulnerability requires no authentication and can be triggered remotely over the network.

Prerequisites

Network access to Experion PKS (R520.2 or R530 systems)
Target system running an unpatched version
No authentication or valid credentials required

remotely exploitableno authentication requiredlow complexityno patch availablecritical severity (CVSS 9.4)affects process control systems

Exploitability

Some exploitation risk — EPSS score 1.2%

Affected products (2)

2 pending

ProductAffected VersionsFix Status

Experion PKS: <R520.2_TCU9_Hot_Fix_1<R520.2 TCU9 Hot Fix 1No fix yet

Experion PKS: <R530_TCU3_Hot_Fix_1<R530 TCU3 Hot Fix 1No fix yet

Remediation & Mitigation

0/5

Do now

0/4

HOTFIXApply Honeywell security patches when available; contact vendor for updated firmware beyond R520.2 TCU9 Hot Fix 1 and R530 TCU3 Hot Fix 1

WORKAROUNDRestrict network access to Experion PKS to only authorized engineering and operations workstations using firewall rules

HARDENINGIsolate Experion PKS systems from the business network and the Internet; ensure they are not directly reachable from outside the control system network

HARDENINGRequire multi-factor authentication or VPN access for all remote connections to Experion PKS systems

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGEnable network monitoring and intrusion detection on control system network segments to detect unauthorized access attempts to Experion PKS

CVEs (6)

CVE-2025-2520 CVE-2025-2521 CVE-2025-2522 CVE-2025-2523 CVE-2025-3946 CVE-2025-3947

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/305b48cf-0507-42b8-9548-4293c43425b0

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.