CVE-2025-27594
Published: 14 March 2025
Description
Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls.
Security Summary
CVE-2025-27594 is a vulnerability in SICK DL100 devices, stemming from the use of an unencrypted proprietary protocol for communication. This protocol transmits configuration data and handles device authentication, enabling attackers to intercept the authentication hash. Assigned CWE-319 (Cleartext Transmission of Sensitive Information), it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and low complexity.
Remote attackers on the network can exploit this vulnerability without privileges or user interaction by passively intercepting traffic to capture the authentication hash. With the hash, they can perform a pass-the-hash attack to log into the affected device, potentially accessing sensitive configuration data and other confidential information.
Advisories from SICK, including special cybersecurity information (IM0084411) and their PSIRT page, address this issue alongside multiple vulnerabilities in DL100 devices as reported by Telekom Security. CISA provides general ICS recommended practices for mitigation in such scenarios.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unencrypted protocol enables passive network sniffing to capture auth hash (T1040); captured hash directly facilitates pass-the-hash for device authentication (T1550.002).