CVE-2026-2331
Published: 06 March 2026
Summary
CVE-2026-2331 is a critical-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Sick (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations for access to system resources, directly preventing unauthenticated read and write operations on sensitive filesystem areas exposed via the HTTP fileaccess feature.
SC-14 requires protections such as strong authentication for publicly accessible systems over HTTP, mitigating the unintentional exposure of the critical filesystem directory without authentication.
SC-7 monitors and controls communications at external boundaries, blocking unauthorized network access to the vulnerable AppEngine Fileaccess HTTP endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote exploitation of public-facing AppEngine file access (T1190) enabling arbitrary Lua code execution (T1059.011) and reading sensitive local files/credentials (T1005).
NVD Description
An attacker may perform unauthenticated read and write operations on sensitive filesystem areas via the AppEngine Fileaccess over HTTP due to improper access restrictions. A critical filesystem directory was unintentionally exposed through the HTTP-based file access feature, allowing access without…
more
authentication. This includes device parameter files, enabling an attacker to read and modify application settings, including customer-defined passwords. Additionally, exposure of the custom application directory may allow execution of arbitrary Lua code within the sandboxed AppEngine environment.
Deeper analysisAI
CVE-2026-2331 is a vulnerability in the AppEngine Fileaccess feature over HTTP, stemming from improper access restrictions (CWE-552). A critical filesystem directory is unintentionally exposed, enabling unauthenticated read and write operations on sensitive areas. This affects SICK products utilizing the AppEngine environment, including device parameter files and custom application directories. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-06.
Any unauthenticated attacker with network access can exploit this vulnerability. Successful exploitation allows reading and modifying application settings, such as customer-defined passwords stored in device parameter files. Additionally, exposure of the custom application directory permits execution of arbitrary Lua code within the sandboxed AppEngine environment, potentially leading to full compromise of affected devices.
SICK has issued advisories detailing mitigation, available in CSAF format at sca-2026-0006.json and the corresponding PDF. Additional guidance appears in SICK's operating guidelines for cybersecurity. General ICS recommended practices from CISA may also apply.
Details
- CWE(s)