CVE-2025-27595
Published: 14 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-27595 is a critical vulnerability (CVSS 9.8) in the SICK DL100 device, stemming from the use of a weak hashing algorithm (CWE-328) to generate password hashes. This flaw allows attackers to easily compute a matching password, undermining the device's overall security and integrity. The vulnerability was published on 2025-03-14.
An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required (AV:N/AC:L/PR:N/UI:N/S:U). Successful exploitation grants high-impact access, enabling confidentiality, integrity, and availability compromises (C:H/I:H/A:H), such as unauthorized device control.
Mitigation details are provided in advisories from SICK, including a cybersecurity special information document at https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF and their PSIRT page at https://sick.com/psirt. Additional analysis appears in a Telekom security advisory at https://github.security.telekom.com/2025/03/multiple-vulnerabilities-in-sick-dl100.html.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Weak password hashing (CWE-328) directly enables offline password cracking (T1110.002) to recover credentials; the network-accessible unauthenticated nature of the device allows remote exploitation for initial access (T1190).