The standard user uses the run as function to start the MEAC applications with administrative privileges. To ensure that the system can startup on its own, the credentials of the administrator were stored. Consequently, the EPC2 user can execute any command with administrative privileges. This allows a privilege escalation to the administrative level.
To automatically launch the MEAC application with administrative privileges using the 'run as' function, administrator credentials were stored in the system (CWE-522 — insufficiently protected credentials). A standard EPC2 user has access to these stored credentials, allowing them to execute arbitrary commands in the administrator account context. As a result, obtaining elevated privileges does not require knowledge of the administrator password or any additional actions — access to the EPC2 user account is sufficient.
An attacker with access to a standard EPC2 user account can obtain full administrative privileges in the system and execute arbitrary commands, enabling complete device takeover, configuration modification, and potential lateral movement in the network.
Patches available from the manufacturer should be applied according to references. It is recommended to review the SICK PSIRT security document (SCA-2025-0001) available at sick.com/psirt and the dedicated cybersecurity document (IM0084411). As an interim measure, restrict access to EPC2 user accounts to trusted personnel only and consider network isolation of the devices.
MEAC applications by SICK AG running on the EPC2 platform — specific versions indicated in the manufacturer's references (document SCA-2025-0001).
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H