CVE-2025-0867 CRITICAL

CVE-2025-0867: Privilege Escalation in MEAC300

Vendor Sick Ag
Product SICK MEAC300
Weakness CWE-522 · Insufficiently protected credentials
Published February 14, 2025
Last update February 21, 2025

CVSS base score

9.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

The standard user uses the run as function to start the MEAC applications with administrative privileges. To ensure that the system can startup on its own, the credentials of the administrator were stored. Consequently, the EPC2 user can execute any command with administrative privileges. This allows a privilege escalation to the administrative level.

Key dates

02Disclosure timeline

February 14, 2025 CVE published
February 21, 2025 Record updated