CVE-2025-0592

High

Published: 14 February 2025

Published

14 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 26.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The vulnerability may allow a remote low priviledged attacker to run arbitrary shell commands by manipulating the firmware file and uploading it to the device.

Security Summary

CVE-2025-0592 is a vulnerability affecting SICK devices, where an attacker can manipulate a firmware file and upload it to the device, potentially allowing execution of arbitrary shell commands. Published on 2025-02-14, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-924.

A remote attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables arbitrary shell command execution on the device, resulting in high impacts to confidentiality, integrity, and availability.

SICK has issued advisories via its PSIRT page, a special cybersecurity information document, and a CSAF provider in JSON format detailing the issue. Additional resources include CISA's ICS recommended practices and the FIRST CVSS calculator for score verification. Practitioners should consult these for mitigation guidance and patching instructions.

Details

CWE(s): CWE-924

References

https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF
psirt@sick.de
https://sick.com/psirt
psirt@sick.de
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
psirt@sick.de
https://www.first.org/cvss/calculator/3.1
psirt@sick.de
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0002.json
psirt@sick.de
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0002.pdf
psirt@sick.de