Attackers can read default passwords stored in plain text within SICK products' code
CVE-2024-10025

9.1CRITICAL

Key Information:

Vendor: Sick Ag
Status: Sick Clv6xx; Sick Lector6xx; Sick Rfx6xx
Vendor: CVE Published:; 17 October 2024

What is CVE-2024-10025?

A critical vulnerability exists in SICK products due to insecure handling of .sdd files, which contain default passwords stored in plain text. If these credentials are not changed by users, an attacker can easily gain unauthorized access to the affected systems as an 'Authorized Client'. This issue emphasizes the importance of changing default passwords to enhance cybersecurity posture and protect sensitive industrial operations.

Affected Version(s)

SICK CLV6xx all versions

SICK Lector6xx all versions

SICK RFx6xx all versions

References

https://sick.com/psirt

x_SICK PSIRT Webseite

https://www.cisa.gov/resources-tools/resources/ics-recomm...

x_ICS-CERT recommended practices on Industrial Security

https://cdn.sick.com/media/docs/1/11/411/Special_informat...

x_SICK Operating Guidelines

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 17, 2024
Vulnerability Reserved
Oct 16, 2024

Sick Ag

What is CVE-2024-10025?

Affected Version(s)

References

CVSS V3.1

Timeline