CVE-2025-27593
Published: 14 March 2025
Description
An adversary may rely upon a user opening a malicious file in order to gain execution.
Security Summary
CVE-2025-27593 is a high-severity vulnerability (CVSS 9.3, vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) published on 2025-03-14, associated with CWE-494 (Download of Code Without Integrity Check). It affects SICK products, particularly the DL100 series, where SDD Device Drivers lack verification checks for downloads. This flaw allows the product to distribute malicious code, resulting in arbitrary code execution on target systems.
A remote attacker requires no privileges or authentication and can exploit the issue over the network with low attack complexity, though user interaction is necessary, such as inducing a user to download or install a malicious driver. Successful exploitation grants high-impact confidentiality and integrity violations with a changed scope, enabling code execution on the victim's system without affecting availability.
Advisories and mitigation guidance are detailed in SICK's special cybersecurity information document, their PSIRT page at sick.com/psirt, and a Telekom Security report on multiple vulnerabilities in SICK DL100. Additional context includes CISA's ICS recommended practices and the FIRST CVSS 3.1 calculator.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability in SDD Device Drivers enables client-side exploitation for arbitrary code execution via unverified downloads (T1203) and facilitates user execution of a malicious driver file after social engineering to induce download/install (T1204.002).