CRITICAL🇵🇱 Wersja polska

CVE-2025-2605

CVSS 9.9v3.1pub. 2025-05-02upd. 2025-05-17

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Honeywell MB-Secure allows Privilege Abuse. This issue affects MB-Secure: from V11.04 before V12.53 and MB-Secure PRO from V01.06 before V03.09.Honeywell also recommends updating to the most recent version of this product.

🤖 AI Analysis
How it works

The vulnerability results from improper neutralization of special characters in operating system commands (CWE-78 — OS Command Injection). An attacker with basic network authentication can inject malicious system commands that will be executed by the device with elevated privileges. The attack vector is network-based, requires no user interaction or high initial privileges, and the impact includes complete breach of confidentiality, integrity, and availability of the system and related systems.

Impact

An attacker can execute arbitrary operating system commands on the device, leading to complete system takeover, data leakage, configuration modification, or disruption of operations — with potential impact on other systems in the network.

Mitigation & patch

Honeywell MB-Secure firmware must be updated to version V12.53 or later, and Honeywell MB-Secure PRO to version V03.09 or later. The manufacturer additionally recommends migration to the latest available product version. Details are available in Honeywell security notices at https://www.honeywell.com/us/en/product-security#security-notices.

Who is affected

Honeywell MB-Secure versions from V11.04 to V12.52 (before V12.53) and Honeywell MB-Secure PRO versions from V01.06 to V03.08 (before V03.09).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Honeywell Mb Secure

    HW
    Honeywell
    wszystkie wersje
  • Honeywell Mb Secure Firmware

    OS
    Honeywell
    11.04 – 12.53 (bez)
  • Honeywell Mb Secure Pro

    HW
    Honeywell
    wszystkie wersje
  • Honeywell Mb Secure Pro Firmware

    OS
    Honeywell
    01.06 – 03.09 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2026-3611CRITICAL10.0PL ✓ten sam vendor

Honeywell IQ4x — brak uwierzytelnienia w fabrycznym HMI (CWE-306)

CVE-2024-2422CRITICAL9.3PL ✓ten sam vendor

Uwierzytelniony RCE w LenelS2 NetBox (wersje do 5.6.1 włącznie)

CVE-2024-2421CRITICAL9.3PL ✓ten sam vendor

Nieuwierzytelniony RCE w Honeywell LenelS2 NetBox (command injection)

CVE-2023-5389CRITICAL9.1PL ✓ten sam vendor

Nieautoryzowana modyfikacja plików w Honeywell ControlEdge UOC i VirtualUOC

CVE-2023-3710CRITICAL9.9ten sam vendor

Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Com...