Description
An attacker may perform unauthenticated read and write operations on sensitive filesystem areas via the AppEngine Fileaccess over HTTP due to improper access restrictions. A critical filesystem directory was unintentionally exposed through the HTTP-based file access feature, allowing access without authentication. This includes device parameter files, enabling an attacker to read and modify application settings, including customer-defined passwords. Additionally, exposure of the custom application directory may allow execution of arbitrary Lua code within the sandboxed AppEngine environment.
Published: 2026-03-06
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via unrestricted filesystem access
Action: Immediate Patch
AI Analysis

Impact

An attacker can exploit a missing access control in the AppEngine Fileaccess feature exposed over HTTP, allowing unauthenticated read and write operations against sensitive filesystem directories. The flaw exposes device configuration files, including customer‑defined passwords, and enables the injection of arbitrary Lua code into the sandboxed AppEngine environment, effectively granting remote code execution capabilities. The underlying weakness is identified as a sensitive file inclusion and disclosure flaw, consistent with CWE‑552.

Affected Systems

The vulnerability affects SICK AG’s Lector 83x and Lector 85x product lines. No specific pre‑release version numbers are listed, but the vendor recommends any affected instance to upgrade to release 2.8.0, implying the flaw is present in prior releases of these families.

Risk and Exploitability

With a CVSS score of 9.8, the vulnerability is categorised as critical. Epistemic probability of exploitation is reported as below 1% by EPSS, and it is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating low current exploitation likelihood. Nonetheless, the flaw remains remotely exploitable over the device’s HTTP interface without authentication, meaning that any network segment with traffic to the device is potentially at risk. The combination of high impact and low probability suggests that decisive mitigation actions are warranted to prevent any future exploitation.

Generated by OpenCVE AI on April 17, 2026 at 12:22 UTC.

Remediation

Vendor Solution

Users are strongly recommended to upgrade to release version 2.8.0.

OpenCVE Recommended Actions

  • Upgrade to release version 2.8.0 as advised by the vendor.
  • Restrict external network access to the device by firewalling or network segmentation so that only trusted internal networks can reach the HTTP interface.
  • Persistently monitor for unauthorized file access attempts and anomalous Lua code execution on the device.

Generated by OpenCVE AI on April 17, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Sick Ag
Sick Ag sick Lector83x
Sick Ag sick Lector85x
Vendors & Products Sick Ag
Sick Ag sick Lector83x
Sick Ag sick Lector85x

Fri, 06 Mar 2026 08:00:00 +0000

Type Values Removed Values Added
Description An attacker may perform unauthenticated read and write operations on sensitive filesystem areas via the AppEngine Fileaccess over HTTP due to improper access restrictions. A critical filesystem directory was unintentionally exposed through the HTTP-based file access feature, allowing access without authentication. This includes device parameter files, enabling an attacker to read and modify application settings, including customer-defined passwords. Additionally, exposure of the custom application directory may allow execution of arbitrary Lua code within the sandboxed AppEngine environment.
Title CVE-2026-2331
Weaknesses CWE-552
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Sick Ag Sick Lector83x Sick Lector85x
cve-icon MITRE

Status: PUBLISHED

Assigner: SICK AG

Published:

Updated: 2026-03-09T21:04:31.505Z

Reserved: 2026-02-11T09:33:16.256Z

Link: CVE-2026-2331

cve-icon Vulnrichment

Updated: 2026-03-09T20:58:04.190Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-06T08:16:27.450

Modified: 2026-03-09T13:35:34.633

Link: CVE-2026-2331

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses