Cyber Resilience

CVE-2026-22909

High

Published: 15 January 2026

Published
15 January 2026
Modified
23 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0051 39.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22909 is a high-severity Improper Access Control (CWE-284) vulnerability in Sick Tdc-X401Gl Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Service Stop (T1489); ranked at the 39.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-22909 is an improper access control vulnerability (CWE-284, CWE-863) affecting certain SICK products, where system functions can be accessed without proper authorization. This allows attackers to start, stop, or delete installed applications, potentially disrupting system operations. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its network accessibility, low attack complexity, and significant availability impact with no requirements for privileges or user interaction.

Remote attackers require no authentication or privileges to exploit this vulnerability over the network. Successful exploitation enables denial-of-service effects by manipulating installed applications, such as stopping critical processes or deleting software components, which can halt system functionality and disrupt operations in affected environments.

SICK has published detailed advisories via its PSIRT page and specific CSAF documents, including sca-2026-0001 in JSON and PDF formats, outlining mitigation steps. Additional guidance appears in CISA's ICS recommended practices, with CVSS details available via the FIRST calculator.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Certain system functions may be accessed without proper authorization, allowing attackers to start, stop, or delete installed applications, potentially disrupting system operations.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1489 Service Stop Impact
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users.
Why these techniques?

Improper access control enables unauthenticated remote stopping/deletion of applications, directly facilitating Service Stop for availability impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22918Same product: Sick Tdc-X401Gl
CVE-2026-22917Same product: Sick Tdc-X401Gl
CVE-2026-22911Same product: Sick Tdc-X401Gl
CVE-2026-22908Same product: Sick Tdc-X401Gl
CVE-2026-22910Same product: Sick Tdc-X401Gl
CVE-2026-22907Same product: Sick Tdc-X401Gl
CVE-2026-1627Same vendor: Sick
CVE-2025-59461Same vendor: Sick
CVE-2026-22646Same vendor: Sick
CVE-2026-1626Same vendor: Sick

Affected Assets

sick
tdc-x401gl firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 explicitly authorizes specific actions without identification or authentication, directly preventing unauthorized remote access to system functions for starting, stopping, or deleting applications.

prevent

AC-3 enforces approved authorizations for logical access to system resources, addressing the improper access control that allows unauthenticated manipulation of installed applications.

prevent

AC-6 applies least privilege to restrict disruptive actions on applications to only necessary authorized accesses, mitigating the vulnerability's lack of privilege checks.

References