Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-49181

Summary
Assigner-SICK AG
Assigner Org ID-a6863dd2-93fc-443d-bef1-79f0b5020988
Published At-12 Jun, 2025 | 13:14
Updated At-12 Jun, 2025 | 13:26
Rejected At-
Credits

Configurations endpoint does not require authorization

Due to missing authorization of an API endpoint, unauthorized users can send HTTP GET requests to gather sensitive information. An attacker could also send HTTP POST requests to modify the log files’ root path as well as the TCP ports the service is running on, leading to a Denial of Service attack.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:SICK AG
Assigner Org ID:a6863dd2-93fc-443d-bef1-79f0b5020988
Published At:12 Jun, 2025 | 13:14
Updated At:12 Jun, 2025 | 13:26
Rejected At:
▼CVE Numbering Authority (CNA)
Configurations endpoint does not require authorization

Due to missing authorization of an API endpoint, unauthorized users can send HTTP GET requests to gather sensitive information. An attacker could also send HTTP POST requests to modify the log files’ root path as well as the TCP ports the service is running on, leading to a Denial of Service attack.

Affected Products
Vendor
SICK AGSICK AG
Product
SICK Media Server
Default Status
affected
Versions
Affected
  • all versions (custom)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.18.6HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Version: 3.1
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds

It is possible to enable the authorization of the API endpoint via licence. Please contact your support to get a licence with API authorization enabled.

Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://sick.com/psirt
x_SICK PSIRT Website
https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF
x_SICK Operating Guidelines
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
x_ICS-CERT recommended practices on Industrial Security
https://www.first.org/cvss/calculator/3.1
x_CVSS v3.1 Calculator
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf
vendor-advisory
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json
vendor-advisory
x_csaf
Hyperlink: https://sick.com/psirt
Resource:
x_SICK PSIRT Website
Hyperlink: https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF
Resource:
x_SICK Operating Guidelines
Hyperlink: https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
Resource:
x_ICS-CERT recommended practices on Industrial Security
Hyperlink: https://www.first.org/cvss/calculator/3.1
Resource:
x_CVSS v3.1 Calculator
Hyperlink: https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf
Resource:
vendor-advisory
Hyperlink: https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json
Resource:
vendor-advisory
x_csaf
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@sick.de
Published At:12 Jun, 2025 | 14:15
Updated At:03 Feb, 2026 | 14:35

Due to missing authorization of an API endpoint, unauthorized users can send HTTP GET requests to gather sensitive information. An attacker could also send HTTP POST requests to modify the log files’ root path as well as the TCP ports the service is running on, leading to a Denial of Service attack.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.6HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Primary3.18.6HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Type: Secondary
Version: 3.1
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Type: Primary
Version: 3.1
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
CPE Matches
SICK AG
sick
>>media_server>>-
cpe:2.3:a:sick:media_server:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-862Secondarypsirt@sick.de
CWE ID: CWE-862
Type: Secondary
Source: psirt@sick.de
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDFpsirt@sick.de
Broken Link
https://sick.com/psirtpsirt@sick.de
Vendor Advisory
https://www.cisa.gov/resources-tools/resources/ics-recommended-practicespsirt@sick.de
US Government Resource
https://www.first.org/cvss/calculator/3.1psirt@sick.de
Not Applicable
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.jsonpsirt@sick.de
Vendor Advisory
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdfpsirt@sick.de
Vendor Advisory
Hyperlink: https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF
Source: psirt@sick.de
Resource:
Broken Link
Hyperlink: https://sick.com/psirt
Source: psirt@sick.de
Resource:
Vendor Advisory
Hyperlink: https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
Source: psirt@sick.de
Resource:
US Government Resource
Hyperlink: https://www.first.org/cvss/calculator/3.1
Source: psirt@sick.de
Resource:
Not Applicable
Hyperlink: https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json
Source: psirt@sick.de
Resource:
Vendor Advisory
Hyperlink: https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf
Source: psirt@sick.de
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

5Records found
CVE-2023-43700
Matching Score-6
Assigner-SICK AG
ShareView Details
Matching Score-6
Assigner-SICK AG
CVSS Score-7.7||HIGH
EPSS-0.19% / 41.10%
||
7 Day CHG~0.00%
Published-09 Oct, 2023 | 11:56
Updated-19 Sep, 2024 | 14:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing Authorization in RDT400 in SICK APU allows an unprivileged remote attacker to modify data via HTTP requests that no not require authentication.

Action-Not Available
Vendor-SICK AG
Product-apu0200apu0200_firmwareAPU0200rdt400
CWE ID-CWE-862
Missing Authorization
CVE-2021-32504
Matching Score-6
Assigner-SICK AG
ShareView Details
Matching Score-6
Assigner-SICK AG
CVSS Score-5.3||MEDIUM
EPSS-0.33% / 55.03%
||
7 Day CHG~0.00%
Published-19 Jul, 2022 | 14:11
Updated-03 Aug, 2024 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unauthenticated users can access sensitive web URLs through GET request, which should be restricted to maintenance users only. A malicious attacker could use this sensitive information’s to launch further attacks on the system.

Action-Not Available
Vendor-n/aSICK AG
Product-ftmgftmg_firmwareSICK FTMg
CWE ID-CWE-862
Missing Authorization
CVE-2021-32503
Matching Score-6
Assigner-SICK AG
ShareView Details
Matching Score-6
Assigner-SICK AG
CVSS Score-4.9||MEDIUM
EPSS-0.88% / 74.95%
||
7 Day CHG~0.00%
Published-01 Apr, 2022 | 22:17
Updated-03 Aug, 2024 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unauthenticated users can access sensitive web URLs through GET request, which should be restricted to maintenance users only. A malicious attacker could use this sensitive information’s to launch further attacks on the system.

Action-Not Available
Vendor-n/aSICK AG
Product-ftmgftmg_firmwareSICK FTMg
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-59461
Matching Score-6
Assigner-SICK AG
ShareView Details
Matching Score-6
Assigner-SICK AG
CVSS Score-7.6||HIGH
EPSS-0.20% / 42.06%
||
7 Day CHG~0.00%
Published-27 Oct, 2025 | 10:11
Updated-03 Nov, 2025 | 19:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
API does not require authentication

A remote unauthenticated attacker may use the unauthenticated C++ API to access or modify sensitive data and disrupt services.

Action-Not Available
Vendor-SICK AG
Product-tloc100-100tloc100-100_firmwareTLOC100-100 all Firmware versions
CWE ID-CWE-862
Missing Authorization
CVE-2025-20362
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-6.5||MEDIUM
EPSS-42.56% / 97.36%
||
7 Day CHG~0.00%
Published-25 Sep, 2025 | 16:12
Updated-06 Nov, 2025 | 14:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-09-26||The KEV due date refers to the deadline by which FCEB agencies are expected to review and begin implementing the guidance outlined in Emergency Directive (ED) 25-03 (URL listed below in Notes). Agencies must follow the mitigation steps provided by CISA (URL listed below in Notes) and vendor’s instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

Update: On November 5, 2025, Cisco became aware of a new attack variant against devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases that are affected by CVE-2025-20333 and CVE-2025-20362. This attack can cause unpatched devices to unexpectedly reload, leading to denial of service (DoS) conditions. Cisco strongly recommends that all customers upgrade to the fixed software releases that are listed in the Fixed Software ["#fs"] section of this advisory. A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to access restricted URL endpoints that are related to remote access VPN that should otherwise be inaccessible without authentication. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on a device. A successful exploit could allow the attacker to access a restricted URL without authentication.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-firepower_threat_defenseadaptive_security_appliance_softwareCisco Secure Firewall Threat Defense (FTD) SoftwareCisco Secure Firewall Adaptive Security Appliance (ASA) SoftwareSecure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense
CWE ID-CWE-862
Missing Authorization
Details not found