CRITICAL🇵🇱 Wersja polska

CVE-2026-2331

CVSS 9.8v3.1pub. 2026-03-06upd. 2026-03-09

An attacker may perform unauthenticated read and write operations on sensitive filesystem areas via the AppEngine Fileaccess over HTTP due to improper access restrictions. A critical filesystem directory was unintentionally exposed through the HTTP-based file access feature, allowing access without authentication. This includes device parameter files, enabling an attacker to read and modify application settings, including customer-defined passwords. Additionally, exposure of the custom application directory may allow execution of arbitrary Lua code within the sandboxed AppEngine environment.

🤖 AI Analysis
How it works

The HTTP-based file system access function (AppEngine Fileaccess) improperly restricts access to critical device directories — these directories were unintentionally exposed without authentication requirements. An attacker can read and modify device parameter files, including user-defined passwords. Additionally, exposure of the custom application directory enables uploading and executing arbitrary Lua code in the AppEngine sandbox environment.

Impact

An attacker can read and modify application settings and user passwords without authentication, as well as execute arbitrary Lua code in the AppEngine environment, which may lead to complete compromise of device functionality.

Mitigation & patch

Patches available from the manufacturer should be applied according to references (SCA-2026-0006 available at sick.com). It is also recommended to implement recommendations from the SICK Operating Guidelines Cybersecurity document, including restricting network access to devices through firewalls or network segmentation in accordance with CISA ICS guidelines.

Who is affected

SICK devices equipped with AppEngine Fileaccess function with HTTP access — versions indicated in manufacturer references (SCA-2026-0006)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References