CVE-2025-27594
HIGHSICK DL100-2xxxxxxx - Cleartext Transmission of Sensitive Information via Unencrypted Proprietary Protocol
Title source: llmDescription
The device uses an unencrypted, proprietary protocol for communication. Through this protocol, configuration data is transmitted and device authentication is performed. An attacker can thereby intercept the authentication hash and use it to log into the device using a pass-the-hash attack.
References (7)
Core 7
Core References
Various Sources x_sick psirt website
https://sick.com/psirt
Various Sources x_sick operating guidelines
https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF
Third Party Advisory, US Government Resource x_ics-cert recommended practices on industrial security
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
Various Sources x_cvss v3.1 calculator
https://www.first.org/cvss/calculator/3.1
Various Sources vendor-advisory
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0004.pdf
Various Sources vendor-advisory
x_csaf
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0004.json
Various Sources third-party-advisory
https://github.security.telekom.com/2025/03/multiple-vulnerabilities-in-sick-dl100.html
Scores
CVSS v3
7.5
EPSS
0.0043
EPSS Percentile
34.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-319
Status
published
Products (1)
SICK AG/SICK DL100-2xxxxxxx
all versions
Published
Mar 14, 2025
Tracked Since
Feb 18, 2026