CVE-2025-27460

HIGH

Endress MEAC300-FNADE4 Firmware - Missing Full Volume Encryption

Title source: llm

Description

The hard drives of the device are not encrypted using a full volume encryption feature such as BitLocker. This allows an attacker with physical access to the device to use an alternative operating system to interact with the hard drives, completely circumventing the Windows login. The attacker can read from and write to all files on the hard drives.

References (6)

[Product] https://www.endress.com

[Vendor Advisory] https://sick.com/psirt

[US Government Resource] https://www.cisa.gov/resources-tools/resources/ics-recommended-practices

[Not Applicable] https://www.first.org/cvss/calculator/3.1

[Vendor Advisory] https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.json

[Vendor Advisory] https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.pdf

Scores

CVSS v3 7.6

EPSS 0.0010

EPSS Percentile 27.6%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-326 CWE-312

Status published

Products (1)

endress/meac300-fnade4_firmware

Published Jul 03, 2025

Tracked Since Feb 18, 2026