Cyber Resilience

CVE-2025-27594

High

Published: 14 March 2025

Published
14 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0009 26.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27594 is a high-severity Cleartext Transmission of Sensitive Information (CWE-319) vulnerability in Sick (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-8 (Transmission Confidentiality and Integrity).

Deeper analysis

CVE-2025-27594 is a vulnerability in SICK DL100 devices, stemming from the use of an unencrypted proprietary protocol for communication. This protocol transmits configuration data and handles device authentication, enabling attackers to intercept the authentication hash. Assigned CWE-319 (Cleartext Transmission of Sensitive Information), it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and low complexity.

Remote attackers on the network can exploit this vulnerability without privileges or user interaction by passively intercepting traffic to capture the authentication hash. With the hash, they can perform a pass-the-hash attack to log into the affected device, potentially accessing sensitive configuration data and other confidential information.

Advisories from SICK, including special cybersecurity information (IM0084411) and their PSIRT page, address this issue alongside multiple vulnerabilities in DL100 devices as reported by Telekom Security. CISA provides general ICS recommended practices for mitigation in such scenarios.

EU & UK References

Vulnerability details

The device uses an unencrypted, proprietary protocol for communication. Through this protocol, configuration data is transmitted and device authentication is performed. An attacker can thereby intercept the authentication hash and use it to log into the device using a pass-the-hash…

more

attack.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1040 Network Sniffing Credential Access
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.
T1550.002 Pass the Hash Lateral Movement
Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls.
Why these techniques?

Unencrypted protocol enables passive network sniffing to capture auth hash (T1040); captured hash directly facilitates pass-the-hash for device authentication (T1550.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23661Shared CWE-319
CVE-2025-13718Shared CWE-319
CVE-2024-36558Shared CWE-319
CVE-2025-70048Shared CWE-319
CVE-2024-44276Shared CWE-319
CVE-2025-69272Shared CWE-319
CVE-2024-42181Shared CWE-319
CVE-2026-30795Shared CWE-319
CVE-2026-30796Shared CWE-319
CVE-2025-67159Shared CWE-319

Affected Assets

Sick
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires confidentiality and integrity protections for transmitted information, directly preventing interception of authentication hashes in unencrypted proprietary protocols.

prevent

Mandates cryptographic mechanisms to protect confidentiality of sensitive information like authentication hashes during transmission.

prevent

Ensures secure management and protection of authenticators commensurate with sensitivity, mitigating risks of hash interception and pass-the-hash exploitation.

References