CRITICAL🇵🇱 Wersja polska

CVE-2025-0867

CVSS 9.9v3.1pub. 2025-02-14upd. 2026-04-15

The standard user uses the run as function to start the MEAC applications with administrative privileges. To ensure that the system can startup on its own, the credentials of the administrator were stored. Consequently, the EPC2 user can execute any command with administrative privileges. This allows a privilege escalation to the administrative level.

🤖 AI Analysis
How it works

To automatically launch the MEAC application with administrative privileges using the 'run as' function, administrator credentials were stored in the system (CWE-522 — insufficiently protected credentials). A standard EPC2 user has access to these stored credentials, allowing them to execute arbitrary commands in the administrator account context. As a result, obtaining elevated privileges does not require knowledge of the administrator password or any additional actions — access to the EPC2 user account is sufficient.

Impact

An attacker with access to a standard EPC2 user account can obtain full administrative privileges in the system and execute arbitrary commands, enabling complete device takeover, configuration modification, and potential lateral movement in the network.

Mitigation & patch

Patches available from the manufacturer should be applied according to references. It is recommended to review the SICK PSIRT security document (SCA-2025-0001) available at sick.com/psirt and the dedicated cybersecurity document (IM0084411). As an interim measure, restrict access to EPC2 user accounts to trusted personnel only and consider network isolation of the devices.

Who is affected

MEAC applications by SICK AG running on the EPC2 platform — specific versions indicated in the manufacturer's references (document SCA-2025-0001).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
LPE
CWE
References