CVE-2025-0867
📋 TL;DR
This vulnerability allows standard users to execute commands with administrative privileges through stored credentials in the MEAC applications' run-as function. It affects systems using SICK industrial automation products where administrative credentials were stored for automatic startup. This enables privilege escalation from standard user to administrator level.
💻 Affected Systems
- SICK industrial automation products with MEAC applications
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attackers gain full administrative control, potentially disrupting industrial operations, stealing sensitive data, or deploying ransomware across the network.
Likely Case
Privilege escalation allowing attackers to modify system configurations, install malware, or access restricted areas of the industrial control system.
If Mitigated
Limited impact if proper network segmentation and access controls prevent standard users from accessing vulnerable interfaces.
🎯 Exploit Status
Requires standard user access but exploitation is straightforward once access is obtained
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions
Vendor Advisory: https://sick.com/psirt
Restart Required: Yes
Instructions:
1. Review SICK security advisory SCA-2025-0001 2. Apply recommended patches or updates 3. Remove stored administrative credentials 4. Restart affected systems
🔧 Temporary Workarounds
Remove stored credentials
windowsRemove administrator credentials stored for automatic startup functionality
Review and clear stored credentials in MEAC application configuration
Restrict user access
allLimit standard user access to systems running MEAC applications
Implement least privilege access controls for EPC2 users
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems
- Enable detailed logging and monitoring for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if MEAC applications are configured with stored administrator credentials for automatic startupCheck Version:
Check system documentation or contact SICK support for version verificationVerify Fix Applied:
Verify that stored credentials have been removed and standard users cannot execute commands with administrative privileges📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation attempts
- Standard users executing administrative commands
- MEAC application running with elevated privileges
Network Indicators:
- Unexpected administrative access from standard user accounts
- Anomalous command execution patterns
SIEM Query:
EventID=4688 AND SubjectUserName="EPC2" AND NewProcessName contains "runas" OR "admin"🔗 References
- https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF
- https://sick.com/psirt
- https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
- https://www.first.org/cvss/calculator/3.1
- https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0001.json
- https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0001.pdf
