CVE-2025-64309 PUBLISHED

Brightpick Mission Control / Internal Logic Control Unprotected Transport of Credentials

Assigner: icscert
Reserved: 29.10.2025 Published: 14.11.2025 Updated: 17.11.2025

Brightpick Mission Control discloses device telemetry, configuration, and credential information via WebSocket traffic to unauthenticated users when they connect to a specific URL. The unauthenticated URL can be discovered through basic network scanning techniques.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N
CVSS Score: 8.2

Product Status

Vendor Brightpick AI
Product Brightpick Mission Control / Internal Logic Control
Versions Default: unaffected
  • Version All versions is affected

Workarounds

Brightpick AI has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected products are encouraged to contact Brightpick AI https://brightpick.ai/contact-us/ for additional information.

Credits

  • Souvik Kandar reported these vulnerabilities to CISA. finder

References

Problem Types

  • CWE-523 CWE