Ddos 
SICK has released a security advisory (sca-2025-0004) warning of critical vulnerabilities in its DL100-2xxxxxxx devices. The advisory, published on March 14, 2025, details three distinct vulnerabilities that could allow attackers to compromise the availability, integrity, and confidentiality of the affected products.
The vulnerabilities include:
-
CVE-2025-27593: Download of Code Without Integrity Check – This flaw could allow malicious code to be distributed via SDD Device Drivers due to missing download verification checks, potentially leading to code execution on target systems. The CVSSv3.1 base score for this vulnerability is 9.3.
-
CVE-2025-27594: Cleartext Transmission of Sensitive Information – The device uses an unencrypted, proprietary protocol for communication, transmitting configuration data and performing device authentication in cleartext. “An attacker can thereby intercept the authentication hash and use it to log into the device using a pass-the-hash attack,” the advisory states. This vulnerability has a CVSSv3.1 base score of 7.5.
-
CVE-2025-27595: Use of Weak Hash – The device employs a weak hashing algorithm to create password hashes. “Hence, a matching password can be easily calculated by an attacker,” posing a risk to the device’s security and integrity. This vulnerability received a critical CVSSv3.1 base score of 9.8.
The vulnerabilities affect the following product:
- SICK DL100-2xxxxxxx all firmware versions
SICK acknowledges that it is not currently aware of any public exploits specifically targeting these vulnerabilities. However, the potential impact of these vulnerabilities is significant.
SICK strongly recommends operating the affected systems within a secure infrastructure to minimize risk. The advisory provides workarounds for each CVE, emphasizing the importance of applying general security practices.
General security measures recommended by SICK include minimizing network exposure of the devices, restricting network access, and following recommended security practices to maintain a protected IT environment.
SICK thanks Leonard Lewedei from Deutsche Telekom Security GmbH for conducting penetration testing and reporting the vulnerabilities.
SICK urges users of the affected products to review the security advisory and implement the recommended mitigations to protect their systems.
Related Posts:
- CVE-2024-10025 (CVSS 9.1): Critical Flaw in SICK Products Exposes Systems to Remote Attacks
- SICK Warns of Severe Security Flaws in MEAC300 Sensors – CVE-2025-0867 Rated 9.9 CVSS
- CVE-2023-5288: Critical Bug in SICK SIM1012 Devices Could Allow Remote Attacks
- Spring Framework Multiple Security Vulnerability
About The Author
