CVE-2025-27595
📋 TL;DR
This vulnerability allows attackers to easily calculate matching passwords due to weak hashing algorithms used by SICK DL100 devices. This compromises device security and integrity, affecting industrial control systems using these devices.
💻 Affected Systems
- SICK DL100
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device takeover leading to industrial process manipulation, data theft, or physical damage in industrial environments.
Likely Case
Unauthorized access to device configuration and control, potentially disrupting operations or enabling further attacks.
If Mitigated
Limited impact if strong network segmentation and access controls prevent attacker access to authentication mechanisms.
🎯 Exploit Status
Weak hashing algorithms allow offline password cracking without authentication. Attackers only need access to password hashes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware version 1.0.0.27R
Vendor Advisory: https://sick.com/psirt
Restart Required: Yes
Instructions:
1. Download firmware 1.0.0.27R from SICK support portal. 2. Backup device configuration. 3. Apply firmware update via web interface or management tool. 4. Restart device. 5. Verify firmware version and change all passwords.
🔧 Temporary Workarounds
Network Segmentation
allIsolate DL100 devices in separate network segments with strict firewall rules.
Access Control Lists
allImplement strict IP-based access controls to limit who can reach the device management interfaces.
🧯 If You Can't Patch
- Implement multi-factor authentication for device access if supported
- Monitor authentication logs for brute force attempts and unusual access patterns
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface or CLI. Versions below 1.0.0.27R are vulnerable.Check Version:
Check via web interface at /status or use device management softwareVerify Fix Applied:
Confirm firmware version is 1.0.0.27R or higher and test password hashing with known weak passwords.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts
- Successful logins from unusual IP addresses
- Password change events
Network Indicators:
- Unusual traffic to device management ports (typically 80/443)
- Authentication protocol anomalies
SIEM Query:
source="dl100" AND (event_type="authentication" AND result="failure" AND count>10) OR (event_type="authentication" AND src_ip NOT IN allowed_ips)🔗 References
- https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF
- https://github.security.telekom.com/2025/03/multiple-vulnerabilities-in-sick-dl100.html
- https://sick.com/psirt
- https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
- https://www.first.org/cvss/calculator/3.1
- https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0004.json
- https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0004.pdf
