CVE-2025-64307 PUBLISHED

Brightpick Mission Control / Internal Logic Control Missing Authentication for Critical Function

Assigner: icscert
Reserved: 29.10.2025 Published: 14.11.2025 Updated: 17.11.2025

The Brightpick Internal Logic Control web interface is accessible without requiring user authentication. An unauthorized user could exploit this interface to manipulate robot control functions, including initiating or halting runners, assigning jobs, clearing stations, and deploying storage totes.

Metrics

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 7.1

Product Status

Vendor Brightpick AI
Product Brightpick Mission Control / Internal Logic Control
Versions Default: unaffected
  • Version All versions is affected

Workarounds

Brightpick AI has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected products are encouraged to contact Brightpick AI https://brightpick.ai/contact-us/ for additional information.

Credits

  • Souvik Kandar reported these vulnerabilities to CISA. finder

References

Problem Types

  • CWE-306 CWE