CVE-2025-2605

moderate-risk

Published 2025-05-02

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Honeywell MB-Secure allows Privilege Abuse. This issue affects MB-Secure: from V11.04 before V12.53 and MB-Secure PRO from V01.06 before V03.09.Honeywell also recommends updating to the most recent version of this product.

Do I need to act?

0.82% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.9/10 Critical

NETWORK / LOW complexity

Affected Products (2)

Mb-Secure Firmware

Mb-Secure Pro Firmware

Affected Vendors

Honeywell

References (2)

Vendor Advisory https://www.honeywell.com/us/en/product-security#security-notices

http://seclists.org/fulldisclosure/2025/May/19

/ 100

moderate-risk

Severity 33/34 · Critical

Exploitability 3/34 · Minimal

Exposure 7/34 · Low