CVE-2025-49196
📋 TL;DR
This vulnerability involves a service supporting deprecated and unsafe TLS versions, potentially allowing attackers to intercept or manipulate sensitive communications. It affects devices running vulnerable software configurations that haven't disabled older TLS protocols.
💻 Affected Systems
- SICK industrial devices and systems
📦 What is this software?
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of device communications leading to data theft, unauthorized control, or identity spoofing of legitimate users/devices.
Likely Case
Man-in-the-middle attacks intercepting sensitive data or modifying communications between devices and management systems.
If Mitigated
Limited impact with proper network segmentation and monitoring, though outdated TLS still presents some risk.
🎯 Exploit Status
Exploitation requires network access to vulnerable service; TLS downgrade attacks are well-documented and tools exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific fixed versions
Vendor Advisory: https://sick.com/psirt
Restart Required: Yes
Instructions:
1. Check vendor advisory for affected products and fixed firmware versions
2. Download and apply firmware updates from SICK support portal
3. Restart affected devices after update
4. Verify TLS configuration post-update
🔧 Temporary Workarounds
Disable deprecated TLS versions
allConfigure service to only use TLS 1.2 or higher
Device-specific configuration commands; refer to product documentation
Network segmentation and access control
allRestrict network access to vulnerable devices
🧯 If You Can't Patch
- Implement network-level TLS inspection/termination using modern TLS versions
- Isolate vulnerable devices in separate network segments with strict access controls
🔍 How to Verify
Check if Vulnerable:
Use tools like Nmap with ssl-enum-ciphers script or OpenSSL s_client to test TLS protocol supportCheck Version:
Device-specific command; check product documentation or web interfaceVerify Fix Applied:
Re-test with TLS scanning tools to confirm only TLS 1.2+ is supported📡 Detection & Monitoring
Log Indicators:
- TLS handshake failures
- Protocol version negotiation logs showing older TLS versions
Network Indicators:
- TLS protocol downgrade attempts
- Unusual traffic patterns to industrial device ports
SIEM Query:
source="network_traffic" tls.version IN ("TLSv1", "TLSv1.1") dest_ip="industrial_device_subnet"🔗 References
- https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF
- https://sick.com/psirt
- https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
- https://www.first.org/cvss/calculator/3.1
- https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json
- https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf
