CVE-2025-49181 PUBLISHED

Configurations endpoint does not require authorization

Assigner: SICK AG
Reserved: 03.06.2025 Published: 12.06.2025 Updated: 12.06.2025

Due to missing authorization of an API endpoint, unauthorized users can send HTTP GET requests to gather sensitive information. An attacker could also send HTTP POST requests to modify the log files’ root path as well as the TCP ports the service is running on, leading to a Denial of Service attack.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
CVSS Score: 8.6

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	SICK AG
Product	SICK Media Server
Versions	Default: affected Version all versions is affected

Workarounds

It is possible to enable the authorization of the API endpoint via licence. Please contact your support to get a licence with API authorization enabled.

References

Problem Types

CWE-862 Missing Authorization CWE