CVE-2025-49181
8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Summary
Due to missing authorization of an API endpoint, unauthorized users can send HTTP GET requests to gather sensitive information. An attacker could also send HTTP POST requests to modify the log files’ root path as well as the TCP ports the service is running on, leading to a Denial of Service attack.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| SICK AG | SICK Media Server | all versions | affected |
Weaknesses
- CWE-862: CWE-862 Missing Authorization
Workarounds
It is possible to enable the authorization of the API endpoint via licence. Please contact your support to get a licence with API authorization enabled.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://sick.com/psirt
- https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF
- https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
- https://www.first.org/cvss/calculator/3.1
- https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf
- https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.