CVE-2025-27594

HIGH

Device <unknown> - Auth Bypass

Title source: llm

Description

The device uses an unencrypted, proprietary protocol for communication. Through this protocol, configuration data is transmitted and device authentication is performed. An attacker can thereby intercept the authentication hash and use it to log into the device using a pass-the-hash attack.

References (7)

[Various Sources] https://sick.com/psirt

[Various Sources] https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF

[Third Party Advisory, US Government Resource] https://www.cisa.gov/resources-tools/resources/ics-recommended-practices

[Various Sources] https://www.first.org/cvss/calculator/3.1

[Various Sources] https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0004.pdf

[Various Sources] https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0004.json

[Various Sources] https://github.security.telekom.com/2025/03/multiple-vulnerabilities-in-sick-dl100.html

Scores

CVSS v3 7.5

EPSS 0.0009

EPSS Percentile 26.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-319

Status published

Products (1)

SICK AG/SICK DL100-2xxxxxxx all versions

Published Mar 14, 2025

Tracked Since Feb 18, 2026