CVE-2020-10276 CRITICAL

CVE-2020-10276: RVD#2558: Default credentials on SICK PLC allows disabling safety features

Vendor Mobile Industrial Robots A/S
Product MiR100
Weakness CWE-798 · Hardcoded credentials
Published June 24, 2020
Last update September 16, 2024

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The password for the safety PLC is the default and thus easy to find (in manuals, etc.). This allows a manipulated program to be uploaded to the safety PLC, effectively disabling the emergency stop in case an object is too close to the robot. Navigation and any other components dependent on the laser scanner are not affected (thus it is hard to detect before something happens) though the laser scanner configuration can also be affected altering further the safety of the device.

Key dates

02Disclosure timeline

June 24, 2020 CVE published
September 16, 2024 Record updated