Honeywell OneWireless Wireless Device Manager (WDM)

Plan PatchCVSS 9.4ICS-CERT ICSA-25-247-01Aug 4, 2025

Honeywell

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Honeywell OneWireless Wireless Device Manager (WDM) firmware versions prior to R322.5 and R331.1 contain buffer overflow and memory corruption vulnerabilities (CWE-119, CWE-226, CWE-191, CWE-430) that allow remote code execution, information exposure, and denial of service without authentication. An attacker with network access to the WDM can exploit these vulnerabilities to gain control of wireless device management, compromise the integrity of process monitoring and control, or disrupt wireless communications across the facility.

What this means

What could happen

An attacker with network access to the Wireless Device Manager could execute arbitrary code on the controller, alter wireless device configurations, or disrupt communications with remote wireless sensors and control devices throughout your facility. This could affect process monitoring, alarms, and automated responses to abnormal conditions.

Who's at risk

Facilities using Honeywell OneWireless Wireless Device Manager for wireless sensor networks, automated control loops, or remote I/O management. This includes water treatment plants, power distribution centers, HVAC systems, and any industrial process that relies on wireless instrumentation for monitoring or control.

How it could be exploited

An attacker on the network can send specially crafted messages to the WDM service without authentication. The vulnerability allows buffer overflow or memory corruption, leading to code execution. The attacker gains control of the WDM, which manages all wireless devices in the facility.

Prerequisites

Network access to the OneWireless WDM device (typically on port 9200 or management interface)
Device running OneWireless WDM firmware version prior to R322.5 or R331.1
No authentication required to send malicious messages

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.4)affects operational control systemspotential for code execution enabling device manipulation

Exploitability

Some exploitation risk — EPSS score 1.2%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

OneWireless WDM: <R322.5<R322.5R322.5+

OneWireless WDM: <R331.1<R331.1R322.5+

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to the WDM management interface to only authorized engineering workstations and control system networks

HARDENINGIsolate the OneWireless WDM and wireless device network from direct access from your IT/business network using a firewall

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate OneWireless WDM to firmware version R322.5 or R331.1 or later

Long-term hardening

0/1

HARDENINGIf remote access to the WDM is required, configure a VPN with authentication and encryption; ensure the VPN concentrator is current with security updates

CVEs (4)

CVE-2025-2521 CVE-2025-2522 CVE-2025-2523 CVE-2025-3946

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3fd8c116-9af0-4ab7-a14a-21b4ef7ae40c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.