CVE-2025-58587

Medium

Published: 06 October 2025

Published

06 October 2025

Modified

27 January 2026

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

EPSS Score 0.0026 48.9th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-58587 is a medium-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Sick Baggage Analytics. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 48.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and AU-2 (Event Logging).

Threat & Defense at a Glance

What attackers do: exploitation maps to Password Guessing (T1110.001). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-7 Unsuccessful Logon Attempts good match

prevent

AC-7 requires establishing and enforcing limits on consecutive unsuccessful logon attempts with account lockouts or delays, directly preventing brute-force credential guessing exploited in this CVE.

SC-5 Denial-of-service Protection partial match

prevent

SC-5 mandates denial-of-service protections such as rate limiting network requests, mitigating rapid submission of authentication attempts over the network.

AU-2 Event Logging partial match

detect

AU-2 requires logging unsuccessful logon attempts as auditable events, enabling detection of brute-force attacks in progress.

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.

attack.mitre.org →

Why these techniques?

The vulnerability fails to restrict excessive authentication attempts (CWE-307), directly enabling brute-force password guessing (T1110.001) over the network.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The application does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it possible for an attacker to guess user credentials.

Deeper analysisAI

CVE-2025-58587 is a vulnerability in SICK applications that fails to implement adequate controls to limit multiple failed authentication attempts within a short timeframe, enabling attackers to brute-force guess user credentials. Published on 2025-10-06, it is associated with CWE-307 (Improper Restriction of Excessive Authentication Attempts) and carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L), reflecting medium severity due to its network accessibility, low attack complexity, and lack of prerequisites for exploitation.

An unauthenticated remote attacker can exploit this vulnerability over the network by rapidly submitting authentication requests, increasing the likelihood of successfully guessing valid credentials. Upon success, the attacker achieves low-impact effects on integrity (I:L) and availability (A:L), potentially allowing unauthorized modifications or disruptions tied to the guessed account's privileges.

Mitigation guidance is detailed in SICK's advisories, including the PSIRT page at https://sick.com/psirt and the CSAF provider document sca-2025-0010 available at https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.json and https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.pdf. Additional context is provided by CISA's ICS recommended practices at https://www.cisa.gov/resources-tools/resources/ics-recommended-practices and the FIRST CVSS v3.1 calculator at https://www.first.org/cvss/calculator/3.1.