CVE-2026-2330

Critical

Published: 06 March 2026

Published

06 March 2026

Modified

09 March 2026

KEV Added

—

Patch

—

CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

EPSS Score 0.0012 30.6th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

An attacker may access restricted filesystem areas on the device via the CROWN REST interface due to incomplete whitelist enforcement. Certain directories intended for internal testing were not covered by the whitelist and are accessible without authentication. An unauthenticated attacker…

could place a manipulated parameter file that becomes active after a reboot, allowing modification of critical device settings, including network configuration and application parameters.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved authorizations for access to system resources, directly mitigating the incomplete whitelist enforcement that exposed restricted filesystem directories via the unauthenticated REST interface.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

AC-14 explicitly identifies and limits permitted actions without identification or authentication, preventing unauthorized access to internal testing directories intended to be restricted.

AC-6 Least Privilege partial match

prevent

AC-6 applies least privilege to restrict access to only necessary resources, addressing the exposure of non-essential internal directories through the REST interface.

Security SummaryAI

CVE-2026-2330 affects the CROWN REST interface on SICK devices due to incomplete whitelist enforcement, classified under CWE-552. This flaw enables access to restricted filesystem areas, including certain directories intended for internal testing, without requiring authentication. Published on 2026-03-06, the vulnerability carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H), indicating high severity with network accessibility and no privileges needed.

An unauthenticated attacker with network access to the device can exploit the vulnerability by placing a manipulated parameter file into the exposed directories via the REST interface. Upon device reboot, the file activates, allowing the attacker to modify critical settings, including network configuration and application parameters, potentially leading to integrity and availability disruptions.

SICK's advisory SCA-2026-0006, available in JSON and PDF formats, along with their cybersecurity operating guidelines document, provide details on mitigations. Additional guidance appears in CISA's ICS recommended practices resource.

Details

CWE(s): CWE-552

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1105 Ingress Tool Transfer Command And Control

Adversaries may transfer tools or other files from an external system into a compromised environment.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

The vulnerability enables exploitation of a public-facing REST interface (T1190) for unauthenticated file placement (T1105), allowing manipulated parameter files to alter critical settings upon reboot (T1565.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
psirt@sick.de
https://www.first.org/cvss/calculator/3.1
psirt@sick.de
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0006.json
psirt@sick.de
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0006.pdf
psirt@sick.de
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
psirt@sick.de
https://www.sick.com/psirt
psirt@sick.de