CVE-2025-58587

CVE-2025-58587 is a vulnerability in SICK applications that fails to implement adequate controls to limit multiple failed authentication attempts within a short timeframe, enabling attackers to brute-force guess user credentials. Published on 2025-10-06, it is associated with CWE-307 (Improper Restriction of Excessive Authentication Attempts) and carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L), reflecting medium severity due to its network accessibility, low attack complexity, and lack of prerequisites for exploitation.

An unauthenticated remote attacker can exploit this vulnerability over the network by rapidly submitting authentication requests, increasing the likelihood of successfully guessing valid credentials. Upon success, the attacker achieves low-impact effects on integrity (I:L) and availability (A:L), potentially allowing unauthorized modifications or disruptions tied to the guessed account's privileges.

Mitigation guidance is detailed in SICK's advisories, including the PSIRT page at https://sick.com/psirt and the CSAF provider document sca-2025-0010 available at https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.json and https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.pdf. Additional context is provided by CISA's ICS recommended practices at https://www.cisa.gov/resources-tools/resources/ics-recommended-practices and the FIRST CVSS v3.1 calculator at https://www.first.org/cvss/calculator/3.1.