Description
Certain system functions may be accessed without proper authorization, allowing attackers to start, stop, or delete installed applications, potentially disrupting system operations.
Published: 2026-01-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of application lifecycle can disrupt device operations
Action: Apply Workaround
AI Analysis

Impact

The vulnerability enables attackers to invoke system functions that start, stop, or delete installed applications without proper authorization. This lack of access control can lead to service disruption or provide a foothold for further compromise of the device. The impact is limited to the device’s application layer but can severely affect mission‑critical operations that rely on those applications.

Affected Systems

SICK AG’s TDC‑X401GL industrial device is affected. All firmware builds of the TDC‑X401GL are potentially vulnerable, as the vendor does not list specific versions. The device includes an AppEngine component that, when active, exposes the vulnerable management functions.

Risk and Exploitability

The CVSS v3.1 score of 7.5 indicates high severity, while the EPSS value of under 1% suggests a very low but nonzero exploitation probability. The vulnerability is not yet listed in the CISA KEV catalog. A likely attack vector is remote access to the device’s management interface over the network, which can be exploited without special privileges. Exploitation would allow an attacker to control application lifecycles, potentially disrupting availability and enabling persistence on the device.

Generated by OpenCVE AI on April 18, 2026 at 06:11 UTC.

Remediation

Vendor Workaround

Upon completion of the initial device setup, deactivate AppEngine. Disabling it fully mitigates this vulnerability.

OpenCVE Recommended Actions

  • Disable AppEngine after the initial device setup to fully mitigate this vulnerability.
  • Apply any vendor firmware updates or security patches that address the missing authorization controls once they become available.
  • Restrict network access to the device’s management interfaces using segmentation, firewall rules, or VPNs to limit exposure to authorized personnel only.

Generated by OpenCVE AI on April 18, 2026 at 06:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
Title Unauthorized Application Control via Missing Authorization in SICK TDC-X401GL

Fri, 23 Jan 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Sick
Sick tdc-x401gl
Sick tdc-x401gl Firmware
Weaknesses CWE-863
CPEs cpe:2.3:h:sick:tdc-x401gl:-:*:*:*:*:*:*:*
cpe:2.3:o:sick:tdc-x401gl_firmware:*:*:*:*:*:*:*:*
Vendors & Products Sick
Sick tdc-x401gl
Sick tdc-x401gl Firmware

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Sick Ag
Sick Ag tdc-x401gl
Vendors & Products Sick Ag
Sick Ag tdc-x401gl

Thu, 15 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 13:15:00 +0000

Type Values Removed Values Added
Description Certain system functions may be accessed without proper authorization, allowing attackers to start, stop, or delete installed applications, potentially disrupting system operations.
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Sick Tdc-x401gl Tdc-x401gl Firmware
Sick Ag Tdc-x401gl
cve-icon MITRE

Status: PUBLISHED

Assigner: SICK AG

Published:

Updated: 2026-01-15T14:41:39.360Z

Reserved: 2026-01-13T09:11:11.447Z

Link: CVE-2026-22909

cve-icon Vulnrichment

Updated: 2026-01-15T14:41:35.280Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T13:16:05.537

Modified: 2026-01-23T15:46:11.580

Link: CVE-2026-22909

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:15:15Z

Weaknesses