CVE-2026-22907
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-01-15
Assigner: SICK AG
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sick_ag | tdc-x401gl | to 1.4.0 (exc) |
| sick_ag | meac300 | * |
| sick_ag | lector8xx | * |
| sick_ag | inspectorp8xx | * |
| sick_ag | dl100-2xxxxxxx | * |
| sick_ag | flexi_compact | * |
| sick_ag | picoscan | * |
| sick_ag | multiscan | * |
| sick_ag | field_analytics | * |
| sick_ag | media_server | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22907 is a critical vulnerability in the SICK TDC-X401GL Telematic Data Collector device, specifically affecting firmware versions prior to 1.4.0. It is an Incorrect Privilege Assignment vulnerability (CWE-266) that allows an attacker to gain unauthorized access to the host filesystem. This unauthorized access enables the attacker to read and modify system data, potentially compromising the device's confidentiality, integrity, and availability. [2, 5]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to the host filesystem, allowing attackers to read sensitive system data and modify it. This compromises the confidentiality, integrity, and availability of the affected system. The vulnerability has a critical CVSS v3.1 score of 9.9, indicating high severity. If exploited, it could lead to system disruption, data breaches, and potentially full control over the device. Mitigation involves upgrading the device firmware to version 1.4.0 or later and applying general security measures such as minimizing network exposure and restricting network access. [2, 5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The provided resources do not include specific commands or direct detection methods for identifying this vulnerability on your network or system. However, general best practices for detecting unauthorized access or privilege escalation include continuous device inventory, configuration snapshots, and activity monitoring as outlined in SICK's cybersecurity guidelines. Network segmentation, monitoring network traffic for unusual activity, and verifying firmware versions to identify devices running vulnerable firmware (prior to version 1.4.0) are recommended. For precise detection commands or tools, consult SICK PSIRT advisories or security incident response resources. [1, 4, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the SICK TDC-X401GL device firmware to version 1.4.0 or later, as this update addresses the vulnerability. Additionally, minimize network exposure of the device by restricting network access, implementing network segmentation, and following recommended security practices to operate the device within a protected IT environment. Employing firewalls, access controls, and monitoring network traffic can further reduce risk until the firmware is updated. [2, 5, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss how CVE-2026-22907 affects compliance with common standards and regulations such as GDPR or HIPAA. However, given that the vulnerability allows unauthorized access to the host filesystem with potential to read and modify system data, it could pose significant risks to data confidentiality and integrity, which are critical aspects of compliance with such regulations. Organizations using the affected product should consider this vulnerability in their risk assessments and remediation plans to maintain compliance. Specific guidance on compliance impact is not provided in the available resources. [2, 4, 5]