Cookie Configuration Weakness in SICK Industrial Products
CVE-2025-27453

5.3MEDIUM

Key Information:

Vendor

Endress+hauser

Status
Endress+hauser Meac300-fnade4
Vendor
CVE Published:
3 July 2025

What is CVE-2025-27453?

The vulnerability arises from the improper configuration of the HttpOnly flag on the PHPSESSION cookie, allowing unauthorized access to the cookie by client-side scripts such as JavaScript. This flaw could lead to potential session hijacking and unauthorized data exposure. Organizations using affected SICK industrial products should take immediate action to review cookie settings and implement security best practices to protect sensitive session data.

Affected Version(s)

Endress+Hauser MEAC300-FNADE4 0

Endress+Hauser MEAC300-FNADE4 >=0.17.0

References

https://www.endress.com
x_Endress+Hauser
https://sick.com/psirt
x_SICK PSIRT Security Advisories
https://www.cisa.gov/resources-tools/resources/ics-recomm...
x_ICS-CERT recommended practices on Industrial Security

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-27453 : Cookie Configuration Weakness in SICK Industrial Products