Attackers can read default passwords stored in plain text within SICK products' code
CVE-2024-10025

9.1CRITICAL

Key Information:

Vendor
Sick Ag
Status
Sick Clv6xx
Sick Lector6xx
Sick Rfx6xx
Vendor
CVE Published:
17 October 2024

Summary

A critical vulnerability exists in SICK products due to insecure handling of .sdd files, which contain default passwords stored in plain text. If these credentials are not changed by users, an attacker can easily gain unauthorized access to the affected systems as an 'Authorized Client'. This issue emphasizes the importance of changing default passwords to enhance cybersecurity posture and protect sensitive industrial operations.

Affected Version(s)

SICK CLV6xx all versions

SICK Lector6xx all versions

SICK RFx6xx all versions

References

https://sick.com/psirt
x_SICK PSIRT Webseite
https://www.cisa.gov/resources-tools/resources/ics-recomm...
x_ICS-CERT recommended practices on Industrial Security
https://cdn.sick.com/media/docs/1/11/411/Special_informat...
x_SICK Operating Guidelines

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.