CVE-2025-49199

HIGH

Sick Field Analytics - Data Authenticity Bypass

Title source: rule

Description

The backup ZIPs are not signed by the application, leading to the possibility that an attacker can download a backup ZIP, modify and re-upload it. This allows the attacker to disrupt the application by configuring the services in a way that they are unable to run, making the application unusable. They can redirect traffic that is meant to be internal to their own hosted services and gathering information.

References (6)

[Vendor Advisory] https://sick.com/psirt

[Broken Link] https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF

[US Government Resource] https://www.cisa.gov/resources-tools/resources/ics-recommended-practices

[Not Applicable] https://www.first.org/cvss/calculator/3.1

[Vendor Advisory] https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf

[Vendor Advisory] https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json

Scores

CVSS v3 8.8

EPSS 0.0016

EPSS Percentile 35.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-345

Status published

Products (1)

sick/field_analytics

Published Jun 12, 2025

Tracked Since Feb 18, 2026