An attacker may perform unauthenticated read and write operations on sensitive filesystem areas via the AppEngine Fileaccess over HTTP due to improper access restrictions. A critical filesystem directory was unintentionally exposed through the HTTP-based file access feature, allowing access without authentication. This includes device parameter files, enabling an attacker to read and modify application settings, including customer-defined passwords. Additionally, exposure of the custom application directory may allow execution of arbitrary Lua code within the sandboxed AppEngine environment.
The HTTP-based file system access function (AppEngine Fileaccess) improperly restricts access to critical device directories — these directories were unintentionally exposed without authentication requirements. An attacker can read and modify device parameter files, including user-defined passwords. Additionally, exposure of the custom application directory enables uploading and executing arbitrary Lua code in the AppEngine sandbox environment.
An attacker can read and modify application settings and user passwords without authentication, as well as execute arbitrary Lua code in the AppEngine environment, which may lead to complete compromise of device functionality.
Patches available from the manufacturer should be applied according to references (SCA-2026-0006 available at sick.com). It is also recommended to implement recommendations from the SICK Operating Guidelines Cybersecurity document, including restricting network access to devices through firewalls or network segmentation in accordance with CISA ICS guidelines.
SICK devices equipped with AppEngine Fileaccess function with HTTP access — versions indicated in manufacturer references (SCA-2026-0006)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H