cvelistv5 - cve-2025-58590

CVE-2025-58590 (GCVE-0-2025-58590)

Vulnerability from cvelistv5

Published

2025-10-06 07:06

Modified

2025-10-06 17:42

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Summary

It's possible to brute force folders and files, what can be used by an attacker to steal sensitve information.

References

URL

Tags

	psirt@sick.de	https://sick.com/psirt
	psirt@sick.de	https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
	psirt@sick.de	https://www.first.org/cvss/calculator/3.1
	psirt@sick.de	https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.json
	psirt@sick.de	https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.pdf
	psirt@sick.de	https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf

Impacted products

Vendor

Product

Version

SICK AG

Baggage Analytics

Version: 0 <

SICK AG	Tire Analytics	Version: 0 <
SICK AG	Package Analytics	Version: 0 <
SICK AG	Logistic Diagnostic Analytics	Version: 0 <
SICK AG	Baggage Analytics	Version: 4.6.2 <
SICK AG	Tire Analytics	Version: 4.6.2 <
SICK AG	Package Analytics	Version: 4.6.2 <
SICK AG	Logistic Diagnostic Analytics	Version: 4.6.2 <
SICK AG	Baggage Analytics	Version: 4.6.2 <
SICK AG	Tire Analytics	Version: 4.6.2 <
SICK AG	Package Analytics	Version: 4.6.2 <
SICK AG	Logistic Diagnostic Analytics	Version: 4.6.2 <

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-58590",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-06T17:41:38.972497Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-06T17:42:15.992Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Baggage Analytics",
          "vendor": "SICK AG",
          "versions": [
            {
              "lessThanOrEqual": "\u003c= 4.6.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Tire Analytics",
          "vendor": "SICK AG",
          "versions": [
            {
              "lessThanOrEqual": "\u003c= 4.6.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Package Analytics",
          "vendor": "SICK AG",
          "versions": [
            {
              "lessThanOrEqual": "\u003c= 4.6.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Logistic Diagnostic Analytics",
          "vendor": "SICK AG",
          "versions": [
            {
              "lessThanOrEqual": "\u003c= 4.6.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Baggage Analytics",
          "vendor": "SICK AG",
          "versions": [
            {
              "status": "affected",
              "version": "4.6.2",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Tire Analytics",
          "vendor": "SICK AG",
          "versions": [
            {
              "status": "affected",
              "version": "4.6.2",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Package Analytics",
          "vendor": "SICK AG",
          "versions": [
            {
              "status": "affected",
              "version": "4.6.2",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Logistic Diagnostic Analytics",
          "vendor": "SICK AG",
          "versions": [
            {
              "status": "affected",
              "version": "4.6.2",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Baggage Analytics",
          "vendor": "SICK AG",
          "versions": [
            {
              "status": "affected",
              "version": "4.6.2",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Tire Analytics",
          "vendor": "SICK AG",
          "versions": [
            {
              "status": "affected",
              "version": "4.6.2",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Package Analytics",
          "vendor": "SICK AG",
          "versions": [
            {
              "status": "affected",
              "version": "4.6.2",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Logistic Diagnostic Analytics",
          "vendor": "SICK AG",
          "versions": [
            {
              "status": "affected",
              "version": "4.6.2",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIt\u0027s possible to brute force folders and files, what can be used by an attacker to steal sensitve information.\u003c/p\u003e"
            }
          ],
          "value": "It\u0027s possible to brute force folders and files, what can be used by an attacker to steal sensitve information."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 6.5,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 6.5,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-06T07:06:26.315Z",
        "orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
        "shortName": "SICK AG"
      },
      "references": [
        {
          "tags": [
            "x_SICK PSIRT Security Advisories"
          ],
          "url": "https://sick.com/psirt"
        },
        {
          "tags": [
            "x_SICK Operating Guidelines"
          ],
          "url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf"
        },
        {
          "tags": [
            "x_ICS-CERT recommended practices on Industrial Security"
          ],
          "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
        },
        {
          "tags": [
            "x_CVSS v3.1 Calculator"
          ],
          "url": "https://www.first.org/cvss/calculator/3.1"
        },
        {
          "tags": [
            "x_The canonical URL."
          ],
          "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.json"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.pdf"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIt is stronlgy recommended to update to the latest version (\u0026gt;= 4.6.2).\u003c/p\u003e"
            }
          ],
          "value": "It is stronlgy recommended to update to the latest version (\u003e= 4.6.2)."
        }
      ],
      "source": {
        "advisory": "SCA-2025-0010",
        "discovery": "INTERNAL"
      },
      "title": "Path traversal",
      "x_generator": {
        "engine": "csaf2cve 0.2.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
    "assignerShortName": "SICK AG",
    "cveId": "CVE-2025-58590",
    "datePublished": "2025-10-06T07:06:26.315Z",
    "dateReserved": "2025-09-03T08:58:53.142Z",
    "dateUpdated": "2025-10-06T17:42:15.992Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-58590\",\"sourceIdentifier\":\"psirt@sick.de\",\"published\":\"2025-10-06T07:15:35.873\",\"lastModified\":\"2025-10-06T14:56:21.733\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"It\u0027s possible to brute force folders and files, what can be used by an attacker to steal sensitve information.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@sick.de\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"psirt@sick.de\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://sick.com/psirt\",\"source\":\"psirt@sick.de\"},{\"url\":\"https://www.cisa.gov/resources-tools/resources/ics-recommended-practices\",\"source\":\"psirt@sick.de\"},{\"url\":\"https://www.first.org/cvss/calculator/3.1\",\"source\":\"psirt@sick.de\"},{\"url\":\"https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.json\",\"source\":\"psirt@sick.de\"},{\"url\":\"https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.pdf\",\"source\":\"psirt@sick.de\"},{\"url\":\"https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf\",\"source\":\"psirt@sick.de\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-58590\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-06T17:41:38.972497Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-06T17:42:12.154Z\"}}], \"cna\": {\"title\": \"Path traversal\", \"source\": {\"advisory\": \"SCA-2025-0010\", \"discovery\": \"INTERNAL\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"temporalScore\": 6.5, \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"temporalSeverity\": \"MEDIUM\", \"availabilityImpact\": \"NONE\", \"environmentalScore\": 6.5, \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\", \"environmentalSeverity\": \"MEDIUM\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SICK AG\", \"product\": \"Baggage Analytics\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"\u003c= 4.6.1\"}], \"defaultStatus\": \"affected\"}, {\"vendor\": \"SICK AG\", \"product\": \"Tire Analytics\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"\u003c= 4.6.1\"}], \"defaultStatus\": \"affected\"}, {\"vendor\": \"SICK AG\", \"product\": \"Package Analytics\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"\u003c= 4.6.1\"}], \"defaultStatus\": \"affected\"}, {\"vendor\": \"SICK AG\", \"product\": \"Logistic Diagnostic Analytics\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"\u003c= 4.6.1\"}], \"defaultStatus\": \"affected\"}, {\"vendor\": \"SICK AG\", \"product\": \"Baggage Analytics\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.6.2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"affected\"}, {\"vendor\": \"SICK AG\", \"product\": \"Tire Analytics\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.6.2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"affected\"}, {\"vendor\": \"SICK AG\", \"product\": \"Package Analytics\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.6.2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"affected\"}, {\"vendor\": \"SICK AG\", \"product\": \"Logistic Diagnostic Analytics\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.6.2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"affected\"}, {\"vendor\": \"SICK AG\", \"product\": \"Baggage Analytics\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.6.2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"affected\"}, {\"vendor\": \"SICK AG\", \"product\": \"Tire Analytics\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.6.2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"affected\"}, {\"vendor\": \"SICK AG\", \"product\": \"Package Analytics\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.6.2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"affected\"}, {\"vendor\": \"SICK AG\", \"product\": \"Logistic Diagnostic Analytics\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.6.2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"affected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"It is stronlgy recommended to update to the latest version (\u003e= 4.6.2).\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIt is stronlgy recommended to update to the latest version (\u0026gt;= 4.6.2).\u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://sick.com/psirt\", \"tags\": [\"x_SICK PSIRT Security Advisories\"]}, {\"url\": \"https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf\", \"tags\": [\"x_SICK Operating Guidelines\"]}, {\"url\": \"https://www.cisa.gov/resources-tools/resources/ics-recommended-practices\", \"tags\": [\"x_ICS-CERT recommended practices on Industrial Security\"]}, {\"url\": \"https://www.first.org/cvss/calculator/3.1\", \"tags\": [\"x_CVSS v3.1 Calculator\"]}, {\"url\": \"https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.json\", \"tags\": [\"x_The canonical URL.\"]}, {\"url\": \"https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.pdf\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"csaf2cve 0.2.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"It\u0027s possible to brute force folders and files, what can be used by an attacker to steal sensitve information.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIt\u0027s possible to brute force folders and files, what can be used by an attacker to steal sensitve information.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a6863dd2-93fc-443d-bef1-79f0b5020988\", \"shortName\": \"SICK AG\", \"dateUpdated\": \"2025-10-06T07:06:26.315Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-58590\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-06T17:42:15.992Z\", \"dateReserved\": \"2025-09-03T08:58:53.142Z\", \"assignerOrgId\": \"a6863dd2-93fc-443d-bef1-79f0b5020988\", \"datePublished\": \"2025-10-06T07:06:26.315Z\", \"assignerShortName\": \"SICK AG\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-mq7g-4ph7-xx79

Vulnerability from github

Published

2025-10-06 09:30

Modified

2025-10-06 09:30

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

It's possible to brute force folders and files, what can be used by an attacker to steal sensitve information.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-58590"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-06T07:15:35Z",
    "severity": "MODERATE"
  },
  "details": "It\u0027s possible to brute force folders and files, what can be used by an attacker to steal sensitve information.",
  "id": "GHSA-mq7g-4ph7-xx79",
  "modified": "2025-10-06T09:30:19Z",
  "published": "2025-10-06T09:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58590"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/psirt"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
    },
    {
      "type": "WEB",
      "url": "https://www.first.org/cvss/calculator/3.1"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.json"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

fkie_cve-2025-58590

Vulnerability from fkie_nvd

Published

2025-10-06 07:15

Modified

2025-10-06 14:56

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

It's possible to brute force folders and files, what can be used by an attacker to steal sensitve information.

References

	URL	Tags
	psirt@sick.de	https://sick.com/psirt
	psirt@sick.de	https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
	psirt@sick.de	https://www.first.org/cvss/calculator/3.1
	psirt@sick.de	https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.json
	psirt@sick.de	https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.pdf
	psirt@sick.de	https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "It\u0027s possible to brute force folders and files, what can be used by an attacker to steal sensitve information."
    }
  ],
  "id": "CVE-2025-58590",
  "lastModified": "2025-10-06T14:56:21.733",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "psirt@sick.de",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-10-06T07:15:35.873",
  "references": [
    {
      "source": "psirt@sick.de",
      "url": "https://sick.com/psirt"
    },
    {
      "source": "psirt@sick.de",
      "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
    },
    {
      "source": "psirt@sick.de",
      "url": "https://www.first.org/cvss/calculator/3.1"
    },
    {
      "source": "psirt@sick.de",
      "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.json"
    },
    {
      "source": "psirt@sick.de",
      "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.pdf"
    },
    {
      "source": "psirt@sick.de",
      "url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf"
    }
  ],
  "sourceIdentifier": "psirt@sick.de",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "psirt@sick.de",
      "type": "Secondary"
    }
  ]
}

sca-2025-0010

Vulnerability from csaf_sick

Published

2025-10-02 13:00

Modified

2025-10-02 13:00

Summary

Multiple vulnerabilities in SICK Enterprise Analytics and SICK Logistic Analytics Products

Notes

summary

SICK has found multiple vulnerabilities in SICK Enterprise Analytics and the SICK Logistic Analytics products. The vulnerabilities could potentially affect the confidentiality, integrity an availability of the products. Therefore it is strongly recommended to apply general security practices when operating the products. Currently, SICK is not aware of any public exploits.

General Security Measures

As general security measures, SICK recommends to minimize network exposure of the devices, restrict network access and follow recommended security practices in order to run the devices in a protected IT environment.

Vulnerability Classification

SICK performs vulnerability classification by using the CVSS scoring system (*CVSS v3.1*). The environmental score is dependent on the customer’s environment and can affect the overall CVSS score. SICK recommends that customers individually evaluate the environmental score to achieve final scoring.

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "summary",
        "text": "SICK has found multiple vulnerabilities in SICK Enterprise Analytics and the SICK Logistic Analytics products. The vulnerabilities could potentially affect the confidentiality, integrity an availability of the products. Therefore it is strongly recommended to apply general security practices when operating the products. Currently, SICK is not aware of any public exploits.",
        "title": "summary"
      },
      {
        "category": "general",
        "text": "As general security measures, SICK recommends to minimize network exposure of the devices, restrict network access and follow recommended security practices in order to run the devices in a protected IT environment.",
        "title": "General Security Measures"
      },
      {
        "category": "general",
        "text": "SICK performs vulnerability classification by using the CVSS scoring system (*CVSS v3.1*). The environmental score is dependent on the customer\u2019s environment and can affect the overall CVSS score. SICK recommends that customers individually evaluate the environmental score to achieve final scoring.",
        "title": "Vulnerability Classification"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@sick.de",
      "issuing_authority": "SICK AG issues and issues in EHS products (when related to the Endress+Hauser SICK (EHS) joint venture).",
      "name": "SICK PSIRT",
      "namespace": "https://www.sick.com/psirt"
    },
    "references": [
      {
        "summary": "SICK PSIRT Security Advisories",
        "url": "https://sick.com/psirt"
      },
      {
        "summary": "SICK Operating Guidelines",
        "url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf"
      },
      {
        "summary": "ICS-CERT recommended practices on Industrial Security",
        "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
      },
      {
        "summary": "CVSS v3.1 Calculator",
        "url": "https://www.first.org/cvss/calculator/3.1"
      },
      {
        "category": "self",
        "summary": "The canonical URL.",
        "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.json"
      }
    ],
    "title": "Multiple vulnerabilities in SICK Enterprise Analytics and SICK Logistic Analytics Products",
    "tracking": {
      "current_release_date": "2025-10-02T13:00:00.000Z",
      "generator": {
        "date": "2025-10-02T09:09:44.241Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.36"
        }
      },
      "id": "SCA-2025-0010",
      "initial_release_date": "2025-10-02T13:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-10-02T13:00:00.000Z",
          "number": "1",
          "summary": "Initial version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:all/*",
                    "product": {
                      "name": "SICK Enterprise Analytics all versions",
                      "product_id": "CSAFPID-0001"
                    }
                  }
                ],
                "category": "product_name",
                "name": "Enterprise Analytics"
              }
            ],
            "category": "product_family",
            "name": "Analytics Solutions"
          },
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "\u003c= 4.6.1",
                    "product": {
                      "name": "SICK Baggage Analytics \u003c= 4.6.1",
                      "product_id": "CSAFPID-0002"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "4.6.2",
                    "product": {
                      "name": "SICK Baggage Analytics 4.6.2",
                      "product_id": "CSAFPID-0003"
                    }
                  },
                  {
                    "category": "product_version_range",
                    "name": "vers:all/*",
                    "product": {
                      "name": "SICK Baggage Analytics all versions",
                      "product_id": "CSAFPID-0004"
                    }
                  }
                ],
                "category": "product_name",
                "name": "Baggage Analytics"
              },
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "\u003c= 4.6.1",
                    "product": {
                      "name": "SICK Tire Analytics \u003c= 4.6.1",
                      "product_id": "CSAFPID-0005"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "4.6.2",
                    "product": {
                      "name": "SICK Tire Analytics 4.6.2",
                      "product_id": "CSAFPID-0006"
                    }
                  },
                  {
                    "category": "product_version_range",
                    "name": "vers:all/*",
                    "product": {
                      "name": "SICK Tire Analytics all versions",
                      "product_id": "CSAFPID-0007"
                    }
                  }
                ],
                "category": "product_name",
                "name": "Tire Analytics"
              },
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "\u003c= 4.6.1",
                    "product": {
                      "name": "SICK Package Analytics \u003c= 4.6.1",
                      "product_id": "CSAFPID-0008"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "4.6.2",
                    "product": {
                      "name": "SICK Package Analytics 4.6.2",
                      "product_id": "CSAFPID-0009"
                    }
                  },
                  {
                    "category": "product_version_range",
                    "name": "vers:all/*",
                    "product": {
                      "name": "SICK Package Analytics all versions",
                      "product_id": "CSAFPID-0010"
                    }
                  }
                ],
                "category": "product_name",
                "name": "Package Analytics"
              },
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "\u003c= 4.6.1",
                    "product": {
                      "name": "SICK Logistic Diagnostic Analytics \u003c= 4.6.1",
                      "product_id": "CSAFPID-0011"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "4.6.2",
                    "product": {
                      "name": "SICK Logistic Diagnostic Analytics 4.6.2",
                      "product_id": "CSAFPID-0012"
                    }
                  },
                  {
                    "category": "product_version_range",
                    "name": "vers:all/*",
                    "product": {
                      "name": "SICK Logistic Diagnostic Analytics all versions",
                      "product_id": "CSAFPID-0013"
                    }
                  }
                ],
                "category": "product_name",
                "name": "Logistic Diagnostic Analytics"
              }
            ],
            "category": "product_family",
            "name": "Logistic Analytics"
          }
        ],
        "category": "vendor",
        "name": "SICK AG"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-9914",
      "cwe": {
        "id": "CWE-288",
        "name": "Authentication Bypass Using an Alternate Path or Channel"
      },
      "notes": [
        {
          "audience": "all",
          "category": "summary",
          "text": "The credentials of the users stored in the system\u0027s local database can be used for the log in, making it possible for an attacker to gain unauthorized access. This could potentially affect the confidentiality of the application.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0004",
          "CSAFPID-0007",
          "CSAFPID-0010",
          "CSAFPID-0013"
        ]
      },
      "remediations": [
        {
          "category": "workaround",
          "details": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \u201dSICK Operating Guidelines\u201d and \u201dICS-CERT recommended practices on Industrial Security\u201d could help to implement the general security practices.",
          "product_ids": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "environmentalScore": 4.3,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 4.3,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013"
          ]
        }
      ],
      "title": "Authentication with database users is possible"
    },
    {
      "cve": "CVE-2025-9913",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "audience": "all",
          "category": "summary",
          "text": "JavaScript can be ran inside the address bar via the dashboard \"Open in new Tab\" Button, making the application vulnerable to session hijacking.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0004",
          "CSAFPID-0007",
          "CSAFPID-0010",
          "CSAFPID-0013"
        ]
      },
      "remediations": [
        {
          "category": "workaround",
          "details": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \u201dSICK Operating Guidelines\u201d and \u201dICS-CERT recommended practices on Industrial Security\u201d could help to implement the general security practices.",
          "product_ids": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 4.5,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "temporalScore": 4.5,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013"
          ]
        }
      ],
      "title": "Cross Site Scripting: Session Hijacking"
    },
    {
      "cve": "CVE-2025-58587",
      "cwe": {
        "id": "CWE-307",
        "name": "Improper Restriction of Excessive Authentication Attempts"
      },
      "notes": [
        {
          "audience": "all",
          "category": "summary",
          "text": "The application does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it possible for an attacker to guess user credentials.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0004",
          "CSAFPID-0007",
          "CSAFPID-0010",
          "CSAFPID-0013",
          "CSAFPID-0001"
        ]
      },
      "remediations": [
        {
          "category": "workaround",
          "details": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \u201dSICK Operating Guidelines\u201d and \u201dICS-CERT recommended practices on Industrial Security\u201d could help to implement the general security practices.",
          "product_ids": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013",
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "environmentalScore": 6.5,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 6.5,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013",
            "CSAFPID-0001"
          ]
        }
      ],
      "title": "Improper Restriction of Excessive Authentication Attempts"
    },
    {
      "cve": "CVE-2025-49184",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "notes": [
        {
          "audience": "all",
          "category": "summary",
          "text": "A remote unauthorized attacker may gather sensitive information of the application, due to missing authorization of configuration settings of the product.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0004",
          "CSAFPID-0007",
          "CSAFPID-0010",
          "CSAFPID-0013",
          "CSAFPID-0001"
        ]
      },
      "remediations": [
        {
          "category": "workaround",
          "details": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \u201dSICK Operating Guidelines\u201d and \u201dICS-CERT recommended practices on Industrial Security\u201d could help to implement the general security practices.",
          "product_ids": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013",
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 7.5,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 7.5,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013",
            "CSAFPID-0001"
          ]
        }
      ],
      "title": "Information Disclosure to Unauthorized User"
    },
    {
      "cve": "CVE-2025-58589",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "notes": [
        {
          "audience": "all",
          "category": "summary",
          "text": "When an error occurs in the application a full stacktrace is provided to the user. The stacktrace lists class and method names as well as other internal information. An attacker thus receives information about the technology used and the structure of the application.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0004",
          "CSAFPID-0007",
          "CSAFPID-0010",
          "CSAFPID-0013"
        ]
      },
      "remediations": [
        {
          "category": "workaround",
          "details": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \u201dSICK Operating Guidelines\u201d and \u201dICS-CERT recommended practices on Industrial Security\u201d could help to implement the general security practices.",
          "product_ids": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 2.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "environmentalScore": 2.7,
            "environmentalSeverity": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "temporalScore": 2.7,
            "temporalSeverity": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013"
          ]
        }
      ],
      "title": "Information Disclosure Through Stacktrace - /User/User"
    },
    {
      "cve": "CVE-2025-58590",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "notes": [
        {
          "audience": "all",
          "category": "summary",
          "text": "It\u0027s possible to brute force folders and files, what can be used by an attacker to steal sensitve information.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-0003",
          "CSAFPID-0006",
          "CSAFPID-0009",
          "CSAFPID-0012"
        ],
        "known_affected": [
          "CSAFPID-0002",
          "CSAFPID-0005",
          "CSAFPID-0008",
          "CSAFPID-0011"
        ],
        "recommended": [
          "CSAFPID-0003",
          "CSAFPID-0006",
          "CSAFPID-0009",
          "CSAFPID-0012"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "It is stronlgy recommended to update to the latest version (\u003e= 4.6.2).",
          "product_ids": [
            "CSAFPID-0002",
            "CSAFPID-0005",
            "CSAFPID-0008",
            "CSAFPID-0011"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 6.5,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 6.5,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0002",
            "CSAFPID-0005",
            "CSAFPID-0008",
            "CSAFPID-0011"
          ]
        }
      ],
      "title": "Path traversal \u2013 get list of files and folders"
    },
    {
      "cve": "CVE-2025-58591",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "notes": [
        {
          "audience": "all",
          "category": "summary",
          "text": "A remote, unauthorized attacker can brute force folders and files and read them like private keys or configurations, making the application vulnerable for gathering sensitive information.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0004",
          "CSAFPID-0007",
          "CSAFPID-0010",
          "CSAFPID-0013"
        ]
      },
      "remediations": [
        {
          "category": "workaround",
          "details": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \u201dSICK Operating Guidelines\u201d and \u201dICS-CERT recommended practices on Industrial Security\u201d could help to implement the general security practices.",
          "product_ids": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 6.5,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 6.5,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013"
          ]
        }
      ],
      "title": "Path Traversal \u2013 Read File Content"
    },
    {
      "cve": "CVE-2025-58584",
      "cwe": {
        "id": "CWE-598",
        "name": "Use of GET Request Method With Sensitive Query Strings"
      },
      "notes": [
        {
          "audience": "all",
          "category": "summary",
          "text": "In the HTTP request, the username and password are transferred directly in the URL as parameters. However, URLs can be stored in various systems such as server logs, browser histories or proxy servers. As a result, there is a high risk that this sensitive data will be disclosed unintentionally.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0004",
          "CSAFPID-0007",
          "CSAFPID-0010",
          "CSAFPID-0013",
          "CSAFPID-0001"
        ]
      },
      "remediations": [
        {
          "category": "workaround",
          "details": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \u201dSICK Operating Guidelines\u201d and \u201dICS-CERT recommended practices on Industrial Security\u201d could help to implement the general security practices.",
          "product_ids": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013",
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "environmentalScore": 5.3,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 5.3,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013",
            "CSAFPID-0001"
          ]
        }
      ],
      "title": "Plain Text Transmission of Username and Password in the URL"
    },
    {
      "cve": "CVE-2025-58585",
      "cwe": {
        "id": "CWE-497",
        "name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"
      },
      "notes": [
        {
          "audience": "all",
          "category": "summary",
          "text": "Multiple endpoints with sensitive information do not require authentication, making the application susceptible to information gathering.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0004",
          "CSAFPID-0007",
          "CSAFPID-0010",
          "CSAFPID-0013"
        ]
      },
      "remediations": [
        {
          "category": "workaround",
          "details": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \u201dSICK Operating Guidelines\u201d and \u201dICS-CERT recommended practices on Industrial Security\u201d could help to implement the general security practices.",
          "product_ids": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "environmentalScore": 5.3,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 5.3,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013"
          ]
        }
      ],
      "title": "Sensitive Information Disclosure Through Missing Authentication"
    },
    {
      "cve": "CVE-2025-58586",
      "cwe": {
        "id": "CWE-204",
        "name": "Observable Response Discrepancy"
      },
      "notes": [
        {
          "audience": "all",
          "category": "summary",
          "text": "For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0004",
          "CSAFPID-0007",
          "CSAFPID-0010",
          "CSAFPID-0013",
          "CSAFPID-0001"
        ]
      },
      "remediations": [
        {
          "category": "workaround",
          "details": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \u201dSICK Operating Guidelines\u201d and \u201dICS-CERT recommended practices on Industrial Security\u201d could help to implement the general security practices.",
          "product_ids": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013",
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "environmentalScore": 5.3,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 5.3,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013",
            "CSAFPID-0001"
          ]
        }
      ],
      "title": "User Enumeration"
    },
    {
      "cve": "CVE-2025-58579",
      "cwe": {
        "id": "CWE-497",
        "name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"
      },
      "notes": [
        {
          "audience": "all",
          "category": "summary",
          "text": "Due to a lack of authentication, it is possible for an unauthenticated user to request data from this endpoint, making the application vulnerable for user enumeration.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0004",
          "CSAFPID-0007",
          "CSAFPID-0010",
          "CSAFPID-0013",
          "CSAFPID-0001"
        ]
      },
      "remediations": [
        {
          "category": "workaround",
          "details": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \u201dSICK Operating Guidelines\u201d and \u201dICS-CERT recommended practices on Industrial Security\u201d could help to implement the general security practices.",
          "product_ids": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013",
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "environmentalScore": 5.3,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 5.3,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013",
            "CSAFPID-0001"
          ]
        }
      ],
      "title": "Username Disclosure Through Missing Authentication"
    },
    {
      "cve": "CVE-2025-58583",
      "cwe": {
        "id": "CWE-497",
        "name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"
      },
      "notes": [
        {
          "audience": "all",
          "category": "summary",
          "text": "The  application  provides  access  to  a  login  protected  H2  database for  caching  purposes. The username is prefilled.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "remediations": [
        {
          "category": "workaround",
          "details": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \u201dSICK Operating Guidelines\u201d and \u201dICS-CERT recommended practices on Industrial Security\u201d could help to implement the general security practices.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "environmentalScore": 5.3,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 5.3,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ],
      "title": "H2 \u2013User Enumeration"
    },
    {
      "cve": "CVE-2025-58581",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "notes": [
        {
          "audience": "all",
          "category": "summary",
          "text": "When an error occurs in the application a full stacktrace is  provided to the user. The stacktrace lists class and method names as well as other internal information. An attacker can thus obtain information about the technology used and the structure of the application.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "remediations": [
        {
          "category": "workaround",
          "details": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \u201dSICK Operating Guidelines\u201d and \u201dICS-CERT recommended practices on Industrial Security\u201d could help to implement the general security practices.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "environmentalScore": 4.3,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 4.3,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ],
      "title": "Information Disclosure Through Stacktrace-/MQTT/Config/changeAll"
    },
    {
      "cve": "CVE-2025-58580",
      "cwe": {
        "id": "CWE-117",
        "name": "Improper Output Neutralization for Logs"
      },
      "notes": [
        {
          "audience": "all",
          "category": "summary",
          "text": "An API  endpoint  allows  arbitrary  log  entries  to  be  created  via  POST request.  Without sufficient  validation  of the  input data, an attacker  can create manipulated log entries and thus falsify or dilute logs, for example.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "remediations": [
        {
          "category": "workaround",
          "details": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \u201dSICK Operating Guidelines\u201d and \u201dICS-CERT recommended practices on Industrial Security\u201d could help to implement the general security practices.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "environmentalScore": 6.5,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 6.5,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ],
      "title": "Injection via log file"
    },
    {
      "cve": "CVE-2025-58582",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "audience": "all",
          "category": "summary",
          "text": "If a user tries to login but the provided credentials are incorrect a log is created. The data for this POST requests is not validated and it\u2019s possible to send giant payloads which are then logged.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "remediations": [
        {
          "category": "workaround",
          "details": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \u201dSICK Operating Guidelines\u201d and \u201dICS-CERT recommended practices on Industrial Security\u201d could help to implement the general security practices.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "environmentalScore": 5.3,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 5.3,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ],
      "title": "Uncontrolled Resource Consumption via log file"
    },
    {
      "cve": "CVE-2025-58578",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "audience": "all",
          "category": "summary",
          "text": "A user with the appropriate authorization can create any number of user accounts via an API  endpoint  using  a  POST  request.  There  are  no  quotas,  checking  mechanisms  or restrictions to limit the creation.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "remediations": [
        {
          "category": "workaround",
          "details": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \u201dSICK Operating Guidelines\u201d and \u201dICS-CERT recommended practices on Industrial Security\u201d could help to implement the general security practices.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.8,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "environmentalScore": 3.8,
            "environmentalSeverity": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "temporalScore": 3.8,
            "temporalSeverity": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ],
      "title": "Unlimited user creation by authorized users"
    },
    {
      "cve": "CVE-2025-49186",
      "cwe": {
        "id": "CWE-307",
        "name": "Improper Restriction of Excessive Authentication Attempts"
      },
      "notes": [
        {
          "audience": "all",
          "category": "summary",
          "text": "The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0004",
          "CSAFPID-0007",
          "CSAFPID-0010",
          "CSAFPID-0013"
        ]
      },
      "remediations": [
        {
          "category": "workaround",
          "details": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \u201dSICK Operating Guidelines\u201d and \u201dICS-CERT recommended practices on Industrial Security\u201d could help to implement the general security practices.",
          "product_ids": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "environmentalScore": 5.3,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 5.3,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013"
          ]
        }
      ],
      "title": "No Brute-Force Protection"
    },
    {
      "cve": "CVE-2025-49193",
      "cwe": {
        "id": "CWE-693",
        "name": "Protection Mechanism Failure"
      },
      "notes": [
        {
          "audience": "all",
          "category": "summary",
          "text": "The application fails to implement several security headers. These headers help increase the overall security level of the web application by e.g., preventing the application to be displayed in an iFrame (Clickjacking attacks) or not executing injected malicious JavaScript code (XSS attacks).",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0004",
          "CSAFPID-0007",
          "CSAFPID-0010",
          "CSAFPID-0013"
        ]
      },
      "remediations": [
        {
          "category": "workaround",
          "details": "Please make sure that only trusted entities have access to the device. Furthermore, you should apply the following General Security Measures when operating the product to mitigate the associated security risk. The collected resources \u201dSICK Operating Guidelines\u201d and \u201dICS-CERT recommended practices on Industrial Security\u201d could help to implement the general security practices.",
          "product_ids": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "environmentalScore": 4.2,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 4.2,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0004",
            "CSAFPID-0007",
            "CSAFPID-0010",
            "CSAFPID-0013"
          ]
        }
      ],
      "title": "Missing HTTP Security Headers"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-58590 (GCVE-0-2025-58590)

Vulnerability from cvelistv5

ghsa-mq7g-4ph7-xx79

Vulnerability from github

fkie_cve-2025-58590

Vulnerability from fkie_nvd

sca-2025-0010

Vulnerability from csaf_sick

Tags

Sightings

Nomenclature