{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-49181","assignerOrgId":"a6863dd2-93fc-443d-bef1-79f0b5020988","state":"PUBLISHED","assignerShortName":"SICK AG","dateReserved":"2025-06-03T05:55:52.771Z","datePublished":"2025-06-12T13:14:07.750Z","dateUpdated":"2025-06-12T13:26:27.281Z"},"containers":{"cna":{"affected":[{"defaultStatus":"affected","product":"SICK Media Server","vendor":"SICK AG","versions":[{"status":"affected","version":"all versions","versionType":"custom"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Due to missing authorization of an API endpoint, unauthorized users can send HTTP GET\nrequests to gather sensitive information. An attacker could also send HTTP POST requests to modify\nthe log files’ root path as well as the TCP ports the service is running on, leading to a Denial of Service\nattack."}],"value":"Due to missing authorization of an API endpoint, unauthorized users can send HTTP GET\nrequests to gather sensitive information. An attacker could also send HTTP POST requests to modify\nthe log files’ root path as well as the TCP ports the service is running on, leading to a Denial of Service\nattack."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.6,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-862","description":"CWE-862 Missing Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"a6863dd2-93fc-443d-bef1-79f0b5020988","shortName":"SICK AG","dateUpdated":"2025-06-12T13:14:07.750Z"},"references":[{"tags":["x_SICK PSIRT Website"],"url":"https://sick.com/psirt"},{"tags":["x_SICK Operating Guidelines"],"url":"https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"},{"tags":["x_ICS-CERT recommended practices on Industrial Security"],"url":"https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"},{"tags":["x_CVSS v3.1 Calculator"],"url":"https://www.first.org/cvss/calculator/3.1"},{"tags":["vendor-advisory"],"url":"https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"},{"tags":["vendor-advisory","x_csaf"],"url":"https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"}],"source":{"advisory":"sca-2025-0007","discovery":"INTERNAL"},"title":"Configurations endpoint does not require authorization","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"It is possible to enable the authorization of the API endpoint via licence. Please contact your support to get a licence with API authorization enabled."}],"value":"It is possible to enable the authorization of the API endpoint via licence. Please contact your support to get a licence with API authorization enabled."}],"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-06-12T13:26:19.257027Z","id":"CVE-2025-49181","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-06-12T13:26:27.281Z"}}]}}