CVE-2025-27593

March 14, 2025, 1:15 p.m.

9.3
Critical

Description

The product can be used to distribute malicious code using SDD Device Drivers due to missing download verification checks, leading to code execution on target systems.

Product(s) Impacted

Vendor Product Versions
Sick
  • Sdd Device Drivers
  • *

Weaknesses

CWE-494
Download of Code Without Integrity Check
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

*CPE(s)

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a sick sdd_device_drivers / / / / / / / /

References

https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF
https://github.security.telekom.com/2025/03/multiple-vulnerabilities-in-sick-dl100.html
https://sick.com/psirt
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0004.json
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0004.pdf

Tags

CWE-494
psirt@sick.de
2025-03-14
CVE-2025-27593

CVSS Score

9.3 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Date

  • Published: March 14, 2025, 1:15 p.m.
  • Last Modified: March 14, 2025, 1:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

psirt@sick.de

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.