CVE-2025-0867
Published: 14 February 2025
Summary
CVE-2025-0867 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Sick (inferred from references). Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 38.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates secure management, storage, and protection of administrator credentials to prevent low-privileged users from accessing and exploiting them via the 'run as' function.
Enforces least privilege principle, restricting standard users from escalating to administrative privileges even if credentials are accessible.
Requires proper provisioning, review, and disabling of privileged accounts and associated credentials, preventing their insecure storage for automatic startup.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct privilege escalation via exploitation of improperly stored admin credentials (unsecured credentials weakness) allowing low-priv user to run commands as admin.
NVD Description
The standard user uses the run as function to start the MEAC applications with administrative privileges. To ensure that the system can startup on its own, the credentials of the administrator were stored. Consequently, the EPC2 user can execute any…
more
command with administrative privileges. This allows a privilege escalation to the administrative level.
Deeper analysisAI
CVE-2025-0867 is a critical privilege escalation vulnerability (CVSS 9.9, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) stemming from improperly stored administrator credentials in SICK's MEAC applications running on EPC2 systems. The issue, tied to CWE-522 (Insufficiently Protected Credentials), arises because the applications use a "run as" function to launch with administrative privileges, and the admin credentials are stored to enable automatic startup. This was publicly disclosed on 2025-02-14.
A low-privileged EPC2 user, which operates as a standard user, can exploit the stored credentials to execute arbitrary commands with full administrative privileges, resulting in complete compromise of confidentiality, integrity, and availability. The attack requires low privileges (PR:L) but can be performed over the network (AV:N) without user interaction (UI:N), with a scope change (S:C) enabling high-impact escalation across the affected system.
SICK has issued advisories via its PSIRT page, a dedicated cybersecurity PDF document, and a CSAF provider document (sca-2025-0001.json), which outline the vulnerability details and recommended mitigations for affected MEAC applications on EPC2 systems. Additional context is available from CISA's ICS recommended practices and the FIRST CVSS calculator.
Details
- CWE(s)