CVE-2025-49199
📋 TL;DR
This vulnerability allows attackers to modify unsigned backup ZIP files and re-upload them to disrupt application functionality. Attackers can reconfigure services to make the application unusable, redirect internal traffic to malicious services, and gather sensitive information. This affects systems using SICK products with vulnerable backup functionality.
💻 Affected Systems
- SICK industrial automation and sensor products with backup functionality
📦 What is this software?
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete application disruption with traffic redirected to attacker-controlled infrastructure, enabling data exfiltration and potential lateral movement within the network.
Likely Case
Application downtime and service disruption through malicious configuration changes in backup files.
If Mitigated
Limited impact with proper backup validation and access controls preventing unauthorized uploads.
🎯 Exploit Status
Exploitation requires access to backup upload functionality and ability to modify ZIP files. No authentication bypass needed if user has legitimate access to backup features.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Consult SICK PSIRT advisory for specific patched versions
Vendor Advisory: https://sick.com/psirt
Restart Required: Yes
Instructions:
1. Check SICK PSIRT for affected products and patches. 2. Apply vendor-provided firmware updates. 3. Restart affected devices. 4. Verify backup functionality now validates file integrity.
🔧 Temporary Workarounds
Disable backup upload functionality
allTemporarily disable backup upload/restore features until patching is complete
Consult device-specific configuration guides to disable backup upload
Implement network segmentation
allRestrict access to backup management interfaces to authorized administrators only
Configure firewall rules to limit access to backup management ports
🧯 If You Can't Patch
- Implement strict access controls to backup management interfaces
- Monitor for unauthorized backup upload attempts and file modifications
🔍 How to Verify
Check if Vulnerable:
Check if backup ZIP files lack digital signatures or integrity checks. Test by modifying a backup file and attempting to restore it.Check Version:
Check device firmware version through web interface or CLI (device-specific commands)Verify Fix Applied:
After patching, attempt to upload a modified backup ZIP - system should reject it with integrity check failure.📡 Detection & Monitoring
Log Indicators:
- Failed backup integrity checks
- Multiple backup upload attempts from single source
- Backup files with modified timestamps
Network Indicators:
- Unusual traffic patterns from backup management interfaces
- External connections to backup upload endpoints
SIEM Query:
source="backup_service" AND (event="upload_failed" OR event="integrity_check_failed")🔗 References
- https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF
- https://sick.com/psirt
- https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
- https://www.first.org/cvss/calculator/3.1
- https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json
- https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf
