Login Sign Up

CVE-2025-59459

5.5 MEDIUM
Denial of Service

📋 TL;DR

An attacker with SSH access to an unprivileged account can disrupt services including SSH itself, causing persistent denial of service. This affects systems running vulnerable versions of the software with SSH enabled. The vulnerability requires initial access to a low-privilege SSH account.

💻 Affected Systems

Products:
  • SICK industrial devices and software
Versions: Specific versions not detailed in provided references; check vendor advisory.
Operating Systems: Embedded/industrial OS on SICK devices
Default Config Vulnerable: ⚠️ Yes
Notes: Requires SSH service to be enabled and accessible to unprivileged accounts.

📦 What is this software?

Tloc100 100 Firmware by Sick

View all CVEs affecting Tloc100 100 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete loss of SSH service and other critical services, requiring physical access or console to restore availability.

🟠

Likely Case

Temporary service disruption affecting SSH and other services until manual intervention.

🟢

If Mitigated

Minimal impact with proper access controls and monitoring in place.

🌐 Internet-Facing: MEDIUM - Requires SSH access but can cause persistent DoS.
🏢 Internal Only: MEDIUM - Insider threat or lateral movement could exploit this.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated SSH access to an unprivileged account first.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific patched versions.

Vendor Advisory: https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0013.json

Restart Required: No

Instructions:

1. Review vendor advisory for affected versions. 2. Apply vendor-provided patches or firmware updates. 3. Verify SSH service functionality post-update.

🔧 Temporary Workarounds

Restrict SSH Access

all

Limit SSH access to trusted IPs and users only.

Configure firewall rules to restrict SSH port (typically 22) to management networks.
Use SSH key authentication only and disable password auth.

Implement Least Privilege

all

Remove or restrict unprivileged SSH accounts.

Review and disable unnecessary SSH user accounts.
Implement role-based access control for SSH users.

🧯 If You Can't Patch

  • Segment network to isolate vulnerable devices from untrusted networks.
  • Implement strict monitoring and alerting for SSH access attempts and service disruptions.

🔍 How to Verify

Check if Vulnerable:

Check device firmware/software version against vendor advisory list.

Check Version:

Device-specific; typically via SSH command or web interface (e.g., 'show version' or similar).

Verify Fix Applied:

Verify installed version matches patched version from vendor advisory.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SSH login patterns from unprivileged accounts.
  • Service disruption logs (e.g., SSH daemon crashes, service restarts).

Network Indicators:

  • Increased SSH connection attempts to unprivileged accounts.
  • Unexpected service outages following SSH access.

SIEM Query:

source="ssh_logs" AND (event="service_stop" OR event="crash") AFTER successful_auth

📊 Metadata

CVE ID: CVE-2025-59459
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770
EPSS Score: 0.03% exploit probability (9th percentile)
Published: October 27, 2025
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59459, you might also want to check these:

CVE-2024-44241 9.8

This vulnerability in DCP firmware allows attackers to execute arbitrary code or cause system crashe...

Same vulnerability type (CWE-770)
CVE-2025-11832 9.8

This CVE describes a resource allocation vulnerability in Azure Access Technology BLU-IC2 and BLU-IC...

Same vulnerability type (CWE-770)
CVE-2021-47875 9.8

GeoGebra CAS Calculator 6.0.631.0 contains a buffer overflow vulnerability that allows attackers to ...

Same vulnerability type (CWE-770)