Executive Summary

CVE-2026-2331 is a critical vulnerability affecting SICK Lector85x and Lector83x devices due to insufficient access restrictions in the HTTP-based AppEngine Fileaccess feature.

This flaw exposes a critical filesystem directory over HTTP without requiring authentication, allowing an attacker to perform unauthenticated read and write operations on sensitive files.

Specifically, attackers can access device parameter files to read and modify application settings, including customer-defined passwords.

Additionally, the vulnerability exposes the custom application directory, which could enable execution of arbitrary Lua code within the sandboxed AppEngine environment.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized disclosure, modification, and disruption of device operations.

• Attackers can read sensitive device parameter files, exposing confidential information such as customer-defined passwords.
• Attackers can modify application settings, potentially altering device behavior or security configurations.
• Execution of arbitrary Lua code within the sandboxed AppEngine environment is possible, which could lead to further compromise or control over the device.
• Overall, the vulnerability impacts confidentiality, integrity, and availability of the affected devices, as reflected by its critical CVSS score of 9.8.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthenticated read and write access to a critical filesystem directory via the HTTP-based AppEngine Fileaccess interface on affected SICK Lector85x and Lector83x devices. Detection can focus on identifying unauthorized HTTP access attempts to the exposed filesystem directories.

You can detect potential exploitation by monitoring HTTP requests to the device for unusual access patterns targeting the AppEngine Fileaccess paths. For example, using network monitoring tools or packet capture utilities to filter HTTP traffic to the device IP address and look for requests accessing filesystem directories without authentication.

Suggested commands include:

• Using tcpdump or Wireshark to capture HTTP traffic to the device IP and filter for suspicious file access requests.
• Example tcpdump command: tcpdump -i <interface> host <device_ip> and tcp port 80 -w capture.pcap
• Review the captured traffic for HTTP GET or POST requests accessing critical filesystem directories or device parameter files.
• Use curl or wget commands to manually test access to the AppEngine Fileaccess HTTP interface to verify if unauthenticated access is possible, for example: curl http://<device_ip>/AppEngine/Fileaccess/<sensitive_path>

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade affected SICK Lector85x and Lector83x devices to firmware version 2.8.0 or later, where the vulnerability is fixed.

Additional immediate steps include minimizing network exposure of the affected devices by restricting network access to trusted hosts only and following best security practices to operate the devices within a protected IT environment.

• Upgrade device firmware to version 2.8.0 or later.
• Restrict network access to the devices, limiting exposure to untrusted networks.
• Implement network segmentation and firewall rules to protect the devices.
• Monitor device logs and network traffic for suspicious activity.

Useful 0 Not Useful 0