Cyber Resilience

CVE-2026-22907

Critical

Published: 15 January 2026

Published
15 January 2026
Modified
23 January 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0041 32.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-22907 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Sick Tdc-X401Gl Firmware. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-22907, published on 2026-01-15, is a critical vulnerability (CVSS 3.1 score of 9.9) mapped to CWE-266 (Incorrect Privilege Assignment for Critical Resource) and NVD-CWE-Other. It enables an attacker to gain unauthorized access to the host filesystem, potentially allowing them to read and modify system data. The vulnerability affects components associated with SICK, as referenced in the vendor's PSIRT notices and CSAF advisories.

Exploitation requires low privileges (PR:L) and can occur over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). The high scope impact (S:C) allows an attacker to achieve high confidentiality, integrity, and availability effects (C:H/I:H/A:H), such as broad read and modification access to system data on the affected host.

SICK's advisories, including the PSIRT page at https://sick.com/psirt and detailed CSAF documents at https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json and https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf, provide mitigation guidance and patches. Additional context on ICS recommended practices is available from CISA at https://www.cisa.gov/resources-tools/resources/ics-recommended-practices, with CVSS details at https://www.first.org/cvss/calculator/3.1.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An attacker may gain unauthorized access to the host filesystem, potentially allowing them to read and modify system data.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Why these techniques?

Remote network exploitation (AV:N) of incorrect privilege assignment directly enables unauthorized host filesystem access for reading/modifying data.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22908Same product: Sick Tdc-X401Gl
CVE-2026-22918Same product: Sick Tdc-X401Gl
CVE-2026-22909Same product: Sick Tdc-X401Gl
CVE-2026-22911Same product: Sick Tdc-X401Gl
CVE-2026-22910Same product: Sick Tdc-X401Gl
CVE-2026-22917Same product: Sick Tdc-X401Gl
CVE-2026-1627Same vendor: Sick
CVE-2025-59461Same vendor: Sick
CVE-2026-22644Same vendor: Sick
CVE-2026-22646Same vendor: Sick

Affected Assets

sick
tdc-x401gl firmware
≤ 1.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses CWE-266 incorrect privilege assignment by enforcing least privilege to prevent low-privilege attackers from gaining unauthorized host filesystem access.

prevent

Enforces access control policies to block unauthorized read and modification of host system data by unprivileged attackers.

prevent

Mandates timely flaw remediation through patching the specific vulnerability enabling network-based unauthorized host filesystem access.

References