CVE-2025-27461 – This vulnerability allows automatic login to th... (How to Fix)

Q: What is the severity of CVE-2025-27461?

CVE-2025-27461 has a CVSS score of 7.6 (HIGH). This vulnerability allows automatic login to the EPC2 Windows user account without password authentication during device startup. It affects industrial control systems and devices from SICK AG that use this default configuration, potentially exposing them to unauthorized access.

📋 TL;DR

This vulnerability allows automatic login to the EPC2 Windows user account without password authentication during device startup. It affects industrial control systems and devices from SICK AG that use this default configuration, potentially exposing them to unauthorized access.

💻 Affected Systems

Products:

SICK AG industrial devices with EPC2 Windows user configuration

Versions: Specific versions not provided in CVE details

Operating Systems: Windows-based industrial control systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices configured with automatic EPC2 user login during startup. Industrial control systems in manufacturing, logistics, and automation sectors are particularly vulnerable.

📦 What is this software?

Meac300 Fnade4 Firmware by Endress

View all CVEs affecting Meac300 Fnade4 Firmware →

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains physical or remote access to the device, logs in as EPC2 user without credentials, and can execute arbitrary code, modify configurations, or disrupt industrial operations.

🟠

Likely Case

Unauthorized users with physical access or network connectivity can gain administrative privileges on affected devices, leading to configuration changes, data theft, or operational disruption.

🟢

If Mitigated

With proper network segmentation and physical security controls, the impact is limited to isolated systems with minimal operational disruption.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires physical access or network connectivity to the device. The automatic login feature eliminates authentication requirements.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified

Vendor Advisory: https://sick.com/psirt

Restart Required: Yes

Instructions:

1. Contact SICK AG PSIRT for specific remediation guidance. 2. Check vendor advisory for configuration updates. 3. Apply recommended security configurations. 4. Restart affected devices after changes.

🔧 Temporary Workarounds

Disable Automatic Login

windows

Configure device to require password authentication for EPC2 user during startup

Specific commands not provided - refer to SICK device documentation

Change Default Credentials

windows

Set strong, unique password for EPC2 user account

net user EPC2 <new_password>

🧯 If You Can't Patch

Implement strict physical access controls to prevent unauthorized device access
Segment affected devices on isolated networks with firewall rules blocking unnecessary connections

🔍 How to Verify

Check if Vulnerable:

Check if device automatically logs in EPC2 user without password prompt during startup. Review system configuration for automatic login settings.

Check Version:

Contact SICK AG for device-specific version checking procedures

Verify Fix Applied:

Verify that password authentication is required for EPC2 user login during device startup. Test login attempts without credentials.

📡 Detection & Monitoring

Log Indicators:

Successful EPC2 user logins without authentication attempts
Multiple failed login attempts followed by successful EPC2 login
Unusual login times or patterns for EPC2 account

Network Indicators:

Unexpected RDP or administrative protocol connections to affected devices
Network traffic from devices during non-operational hours

SIEM Query:

source="windows-security" EventID=4624 AccountName="EPC2" AuthenticationPackage="NTLM" | where !isnull(LogonType)

📊 Metadata

CVE ID: CVE-2025-27461

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-862

EPSS Score: 0.09% exploit probability (25.3th percentile)

Published: July 3, 2025

Last Updated: February 6, 2026

🔗 References

https://sick.com/psirt Vendor Advisory
https://sick.com/psirt Vendor Advisory
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices US Government Resource
https://www.endress.com Product
https://www.first.org/cvss/calculator/3.1 Not Applicable
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.json Vendor Advisory
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.pdf Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27461, you might also want to check these: