CVE-2025-58584
📋 TL;DR
This vulnerability exposes authentication credentials transmitted via URL parameters, which can be unintentionally stored in server logs, browser histories, or proxy caches. Any system using HTTP requests with credentials in URLs is affected, particularly web applications and APIs that handle authentication this way.
💻 Affected Systems
- SICK products using HTTP authentication via URL parameters
📦 What is this software?
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to sensitive systems by harvesting credentials from exposed logs or cached URLs, leading to data breaches or system compromise.
Likely Case
Credential leakage through log files or browser histories, enabling unauthorized access to user accounts or sensitive information.
If Mitigated
Limited exposure with proper logging controls and credential sanitization, reducing but not eliminating risk of accidental disclosure.
🎯 Exploit Status
Exploitation requires access to logs or cached data containing the URLs with credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions
Vendor Advisory: https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.json
Restart Required: Yes
Instructions:
1. Review vendor advisory for affected products. 2. Apply recommended patches or updates. 3. Restart affected services. 4. Verify credentials are no longer transmitted via URL parameters.
🔧 Temporary Workarounds
Disable URL parameter logging
allConfigure web servers and applications to exclude URL parameters from logs to prevent credential storage.
For Apache: SetLogFormat to exclude query strings
For Nginx: Use $request_uri without $args in log_format
Use POST for authentication
allModify authentication mechanisms to use POST requests with body parameters instead of GET requests with URL parameters.
🧯 If You Can't Patch
- Implement network segmentation to restrict access to systems handling sensitive authentication data.
- Enable strict access controls and monitoring for logs and proxy servers that may store URLs.
🔍 How to Verify
Check if Vulnerable:
Inspect HTTP traffic or application code to see if authentication credentials are passed as URL parameters (e.g., in ?username=...&password=... format).Check Version:
Check product documentation or vendor-specific commands for version information.Verify Fix Applied:
Confirm that authentication no longer uses URL parameters and that logs do not contain credential information.📡 Detection & Monitoring
Log Indicators:
- Log entries containing URL parameters with 'username', 'password', or similar fields in query strings.
Network Indicators:
- HTTP GET requests with authentication parameters in the URL observed in network traffic.
SIEM Query:
source="web_logs" AND (url="*username=*" OR url="*password=*")🔗 References
- https://sick.com/psirt
- https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
- https://www.first.org/cvss/calculator/3.1
- https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.json
- https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0010.pdf
- https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
