CVE-2024-10771

Published: Dec 6, 2024Modified: Jun 17, 2026Deferred

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: psirt@sick.de (Secondary)

Description

Due to missing input validation during one step of the firmware update process, the product is vulnerable to remote code execution. With network access and the user level ”Service”, an attacker can execute arbitrary system commands in the root user’s contexts.

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (6)

https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF

Source: psirt@sick.de

https://sick.com/psirt

Source: psirt@sick.de

https://www.cisa.gov/resources-tools/resources/ics-recommended-practices

Source: psirt@sick.de

https://www.first.org/cvss/calculator/3.1

Source: psirt@sick.de

https://www.sick.com/.well-known/csaf/white/2024/sca-2024-0006.json

Source: psirt@sick.de

https://www.sick.com/.well-known/csaf/white/2024/sca-2024-0006.pdf

Source: psirt@sick.de

Timeline

No history available yet.