CVE-2025-27594

High

Published: 14 March 2025

Published

14 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0009 26.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27594 is a high-severity Cleartext Transmission of Sensitive Information (CWE-319) vulnerability in Sick (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 26.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-8 (Transmission Confidentiality and Integrity).

Threat & Defense at a Glance

What attackers do: exploitation maps to Network Sniffing (T1040) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-8 Transmission Confidentiality and Integrity good match

prevent

Requires confidentiality and integrity protections for transmitted information, directly preventing interception of authentication hashes in unencrypted proprietary protocols.

SC-13 Cryptographic Protection good match

prevent

Mandates cryptographic mechanisms to protect confidentiality of sensitive information like authentication hashes during transmission.

IA-5 Authenticator Management partial match

prevent

Ensures secure management and protection of authenticators commensurate with sensitivity, mitigating risks of hash interception and pass-the-hash exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1040 Network Sniffing Credential Access

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.

attack.mitre.org →

T1550.002 Pass the Hash Lateral Movement

Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls.

attack.mitre.org →

Why these techniques?

Unencrypted protocol enables passive network sniffing to capture auth hash (T1040); captured hash directly facilitates pass-the-hash for device authentication (T1550.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The device uses an unencrypted, proprietary protocol for communication. Through this protocol, configuration data is transmitted and device authentication is performed. An attacker can thereby intercept the authentication hash and use it to log into the device using a pass-the-hash…

attack.

Deeper analysisAI

CVE-2025-27594 is a vulnerability in SICK DL100 devices, stemming from the use of an unencrypted proprietary protocol for communication. This protocol transmits configuration data and handles device authentication, enabling attackers to intercept the authentication hash. Assigned CWE-319 (Cleartext Transmission of Sensitive Information), it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and low complexity.

Remote attackers on the network can exploit this vulnerability without privileges or user interaction by passively intercepting traffic to capture the authentication hash. With the hash, they can perform a pass-the-hash attack to log into the affected device, potentially accessing sensitive configuration data and other confidential information.

Advisories from SICK, including special cybersecurity information (IM0084411) and their PSIRT page, address this issue alongside multiple vulnerabilities in DL100 devices as reported by Telekom Security. CISA provides general ICS recommended practices for mitigation in such scenarios.