Cyber Resilience

CVE-2026-2331

Critical

Published: 06 March 2026

Published
06 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0089 54.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-2331 is a critical-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Sick (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).

Deeper analysis

CVE-2026-2331 is a vulnerability in the AppEngine Fileaccess feature over HTTP, stemming from improper access restrictions (CWE-552). A critical filesystem directory is unintentionally exposed, enabling unauthenticated read and write operations on sensitive areas. This affects SICK products utilizing the AppEngine environment, including device parameter files and custom application directories. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-06.

Any unauthenticated attacker with network access can exploit this vulnerability. Successful exploitation allows reading and modifying application settings, such as customer-defined passwords stored in device parameter files. Additionally, exposure of the custom application directory permits execution of arbitrary Lua code within the sandboxed AppEngine environment, potentially leading to full compromise of affected devices.

SICK has issued advisories detailing mitigation, available in CSAF format at sca-2026-0006.json and the corresponding PDF. Additional guidance appears in SICK's operating guidelines for cybersecurity. General ICS recommended practices from CISA may also apply.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An attacker may perform unauthenticated read and write operations on sensitive filesystem areas via the AppEngine Fileaccess over HTTP due to improper access restrictions. A critical filesystem directory was unintentionally exposed through the HTTP-based file access feature, allowing access without…

more

authentication. This includes device parameter files, enabling an attacker to read and modify application settings, including customer-defined passwords. Additionally, exposure of the custom application directory may allow execution of arbitrary Lua code within the sandboxed AppEngine environment.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.011 Lua Execution
Adversaries may abuse Lua commands and scripts for execution.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Direct unauthenticated remote exploitation of public-facing AppEngine file access (T1190) enabling arbitrary Lua code execution (T1059.011) and reading sensitive local files/credentials (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35446Shared CWE-552
CVE-2025-26525Shared CWE-552
CVE-2026-34392Shared CWE-552
CVE-2025-69428Shared CWE-552
CVE-2024-12917Shared CWE-552
CVE-2025-11371Shared CWE-552
CVE-2024-48864Shared CWE-552
CVE-2018-25164Shared CWE-552
CVE-2026-39871Shared CWE-552
CVE-2024-11629Shared CWE-552

Affected Assets

Sick
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for access to system resources, directly preventing unauthenticated read and write operations on sensitive filesystem areas exposed via the HTTP fileaccess feature.

prevent

SC-14 requires protections such as strong authentication for publicly accessible systems over HTTP, mitigating the unintentional exposure of the critical filesystem directory without authentication.

prevent

SC-7 monitors and controls communications at external boundaries, blocking unauthorized network access to the vulnerable AppEngine Fileaccess HTTP endpoint.

References