CVE-2026-22907

Critical

Published: 15 January 2026

Published

15 January 2026

Modified

23 January 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0003 7.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22907 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Sick Tdc-X401Gl Firmware. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match

prevent

Directly addresses CWE-266 incorrect privilege assignment by enforcing least privilege to prevent low-privilege attackers from gaining unauthorized host filesystem access.

AC-3 Access Enforcement good match

prevent

Enforces access control policies to block unauthorized read and modification of host system data by unprivileged attackers.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation through patching the specific vulnerability enabling network-based unauthorized host filesystem access.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1083 File and Directory Discovery Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

attack.mitre.org →

Why these techniques?

Remote network exploitation (AV:N) of incorrect privilege assignment directly enables unauthorized host filesystem access for reading/modifying data.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An attacker may gain unauthorized access to the host filesystem, potentially allowing them to read and modify system data.

Deeper analysisAI

CVE-2026-22907, published on 2026-01-15, is a critical vulnerability (CVSS 3.1 score of 9.9) mapped to CWE-266 (Incorrect Privilege Assignment for Critical Resource) and NVD-CWE-Other. It enables an attacker to gain unauthorized access to the host filesystem, potentially allowing them to read and modify system data. The vulnerability affects components associated with SICK, as referenced in the vendor's PSIRT notices and CSAF advisories.

Exploitation requires low privileges (PR:L) and can occur over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). The high scope impact (S:C) allows an attacker to achieve high confidentiality, integrity, and availability effects (C:H/I:H/A:H), such as broad read and modification access to system data on the affected host.

SICK's advisories, including the PSIRT page at https://sick.com/psirt and detailed CSAF documents at https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json and https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf, provide mitigation guidance and patches. Additional context on ICS recommended practices is available from CISA at https://www.cisa.gov/resources-tools/resources/ics-recommended-practices, with CVSS details at https://www.first.org/cvss/calculator/3.1.

Details

CWE(s): CWE-266 NVD-CWE-Other

Affected Products

sick

tdc-x401gl firmware

≤ 1.4.0

CVEs Like This One

CVE-2026-22908Same product: Sick Tdc-X401Gl

CVE-2026-22918Same product: Sick Tdc-X401Gl

CVE-2026-22910Same product: Sick Tdc-X401Gl

CVE-2026-22920Same product: Sick Tdc-X401Gl

CVE-2026-22917Same product: Sick Tdc-X401Gl

CVE-2026-22911Same product: Sick Tdc-X401Gl

CVE-2026-22909Same product: Sick Tdc-X401Gl

CVE-2026-1626Same vendor: Sick

CVE-2026-22644Same vendor: Sick

CVE-2025-58587Same vendor: Sick

References

https://sick.com/psirt
Vendor Advisory · psirt@sick.de
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
US Government Resource · psirt@sick.de
https://www.first.org/cvss/calculator/3.1
Not Applicable · psirt@sick.de
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json
Vendor Advisory · psirt@sick.de
https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf
Vendor Advisory · psirt@sick.de
https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
Product · psirt@sick.de