CVE-2025-0867
Published: 14 February 2025
Description
The standard user uses the run as function to start the MEAC applications with administrative privileges. To ensure that the system can startup on its own, the credentials of the administrator were stored. Consequently, the EPC2 user can execute any command with administrative privileges. This allows a privilege escalation to the administrative level.
Security Summary
CVE-2025-0867 is a critical privilege escalation vulnerability (CVSS 9.9, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) stemming from improperly stored administrator credentials in SICK's MEAC applications running on EPC2 systems. The issue, tied to CWE-522 (Insufficiently Protected Credentials), arises because the applications use a "run as" function to launch with administrative privileges, and the admin credentials are stored to enable automatic startup. This was publicly disclosed on 2025-02-14.
A low-privileged EPC2 user, which operates as a standard user, can exploit the stored credentials to execute arbitrary commands with full administrative privileges, resulting in complete compromise of confidentiality, integrity, and availability. The attack requires low privileges (PR:L) but can be performed over the network (AV:N) without user interaction (UI:N), with a scope change (S:C) enabling high-impact escalation across the affected system.
SICK has issued advisories via its PSIRT page, a dedicated cybersecurity PDF document, and a CSAF provider document (sca-2025-0001.json), which outline the vulnerability details and recommended mitigations for affected MEAC applications on EPC2 systems. Additional context is available from CISA's ICS recommended practices and the FIRST CVSS calculator.
Details
- CWE(s)