Cyber Resilience

CVE-2026-2330

Critical

Published: 06 March 2026

Published
06 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
EPSS Score 0.0066 47.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-2330 is a critical-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Sick (inferred from references). Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-2330 affects the CROWN REST interface on SICK devices due to incomplete whitelist enforcement, classified under CWE-552. This flaw enables access to restricted filesystem areas, including certain directories intended for internal testing, without requiring authentication. Published on 2026-03-06, the vulnerability carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H), indicating high severity with network accessibility and no privileges needed.

An unauthenticated attacker with network access to the device can exploit the vulnerability by placing a manipulated parameter file into the exposed directories via the REST interface. Upon device reboot, the file activates, allowing the attacker to modify critical settings, including network configuration and application parameters, potentially leading to integrity and availability disruptions.

SICK's advisory SCA-2026-0006, available in JSON and PDF formats, along with their cybersecurity operating guidelines document, provide details on mitigations. Additional guidance appears in CISA's ICS recommended practices resource.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An attacker may access restricted filesystem areas on the device via the CROWN REST interface due to incomplete whitelist enforcement. Certain directories intended for internal testing were not covered by the whitelist and are accessible without authentication. An unauthenticated attacker…

more

could place a manipulated parameter file that becomes active after a reboot, allowing modification of critical device settings, including network configuration and application parameters.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

The vulnerability enables exploitation of a public-facing REST interface (T1190) for unauthenticated file placement (T1105), allowing manipulated parameter files to alter critical settings upon reboot (T1565.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-48864Shared CWE-552
CVE-2020-37082Shared CWE-552
CVE-2019-25709Shared CWE-552
CVE-2026-35446Shared CWE-552
CVE-2026-31216Shared CWE-552
CVE-2025-26525Shared CWE-552
CVE-2025-41240Shared CWE-552
CVE-2026-34361Shared CWE-552
CVE-2026-34392Shared CWE-552
CVE-2026-33698Shared CWE-552

Affected Assets

Sick
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for access to system resources, directly mitigating the incomplete whitelist enforcement that exposed restricted filesystem directories via the unauthenticated REST interface.

prevent

AC-14 explicitly identifies and limits permitted actions without identification or authentication, preventing unauthorized access to internal testing directories intended to be restricted.

prevent

AC-6 applies least privilege to restrict access to only necessary resources, addressing the exposure of non-essential internal directories through the REST interface.

References