CVE-2025-2605 (CVSS 9.9): Critical Vulnerability Found in Honeywell MB-Secure Alarm Panels

Honeywell has issued an urgent security notice (SN 2025-05-01-01) disclosing a critical vulnerability in its MB-Secure and MB-Secure PRO alarm control panels, used in physical security infrastructure across enterprise and industrial environments. The flaw, tracked as CVE-2025-2605, allows attackers with limited access to execute unauthorized operating system commands with elevated privileges—posing a serious risk of system compromise.

“This vulnerability could allow an attacker to execute operating system command leading to CAPEC-122: Privilege Abuse,” the advisory states, rating the issue as Critical with a CVSS score of 9.9.

The flaw affects:

• MB-Secure versions from V11.04 to V12.52
• MB-Secure PRO versions from V01.06 to V03.08

“MB-Secure and MB-Secure PRO alarm control panels were discovered to contain OS command injection in versions prior to V12.53 for MB-Secure and V03.09 for MB-Secure PRO,” Honeywell confirms.

The vulnerable components expose an entry point where malicious system commands could be injected and executed without proper authorization checks, effectively enabling privilege escalation and remote manipulation of alarm systems.

Honeywell has released patched versions to remediate the vulnerability:

• MB-Secure: Upgrade to version V12.53
• MB-Secure PRO: Upgrade to version V03.09

The advisory notes that these updates are intended for qualified personnel with administrative credentials due to the critical nature of the systems involved.

Related Posts:

• Premium Panel Phishing Toolkit Exposed: Two Years of Global Attacks
• Microsoft Signals End of an Era: Control Panel to be Phased Out
• Chrome OS will enable Linux applications to run on virtual machines