Description
An attacker with low privileges may be able to read files from specific directories on the device, potentially exposing sensitive information.
Published: 2026-01-15
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Workaround
AI Analysis

Impact

A flaw in the SICK TDC‑X401GL allows an attacker with low privileges to read files located in certain device directories, exposing potentially sensitive data. This weakness is a classic lack of restriction on visible files, known as CWE‑497, and threatens the confidentiality of information stored on the device.

Affected Systems

The vulnerability affects SICK AG’s TDC‑X401GL industrial device, covering all firmware builds listed under the product’s CPE entries. No specific firmware version is singled out, so all variants of this device model should be considered potentially exposed.

Risk and Exploitability

With a CVSS score of 4.3 the risk is moderate, and the EPSS score of less than 1% implies a low probability of exploitation at present. The vulnerability requires low‑privilege access, so an attacker needs to authenticate with a user account that has limited rights, likely after the initial device setup. It is not listed in the CISA KEV catalog, indicating no known widespread exploitation. Mitigation through device configuration changes can effectively block the attack path.

Generated by OpenCVE AI on April 18, 2026 at 06:09 UTC.

Remediation

Vendor Workaround

Upon completion of the initial device setup, deactivate AppEngine. Disabling it fully mitigates this vulnerability.

OpenCVE Recommended Actions

  • Disable AppEngine on the TDC‑X401GL after completing device setup, as advised by the vendor; this fully mitigates the vulnerability.
  • Check the vendor’s CSAF release documents and firmware archive for any updates that fix the directory‑access flaw, and apply the latest patch if available.
  • Ensure that all user accounts and services on the device run with the least privileges possible, restricting access to sensitive directories per the principle of least privilege.

Generated by OpenCVE AI on April 18, 2026 at 06:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
Title Low Privilege File Disclosure via Directories in SICK TDC‑X401GL

Fri, 23 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Sick
Sick tdc-x401gl
Sick tdc-x401gl Firmware
CPEs cpe:2.3:h:sick:tdc-x401gl:-:*:*:*:*:*:*:*
cpe:2.3:o:sick:tdc-x401gl_firmware:*:*:*:*:*:*:*:*
Vendors & Products Sick
Sick tdc-x401gl
Sick tdc-x401gl Firmware

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Sick Ag
Sick Ag tdc-x401gl
Vendors & Products Sick Ag
Sick Ag tdc-x401gl

Thu, 15 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 13:15:00 +0000

Type Values Removed Values Added
Description An attacker with low privileges may be able to read files from specific directories on the device, potentially exposing sensitive information.
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Sick Tdc-x401gl Tdc-x401gl Firmware
Sick Ag Tdc-x401gl
cve-icon MITRE

Status: PUBLISHED

Assigner: SICK AG

Published:

Updated: 2026-01-15T17:03:58.009Z

Reserved: 2026-01-13T09:11:11.448Z

Link: CVE-2026-22915

cve-icon Vulnrichment

Updated: 2026-01-15T16:58:41.315Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T13:16:06.387

Modified: 2026-01-23T15:17:20.130

Link: CVE-2026-22915

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:15:15Z

Weaknesses