SICK Lector Series Unauthenticated File Access Vulnerability via Incomplete Whitelist Enforcement

A vulnerability exists in the SICK Lector85x and Lector83x product families, all versions prior to 2.8.0, due to inadequate whitelist enforcement in the CROWN REST interface. This flaw allows unauthenticated access to certain restricted directories intended for internal testing. An attacker could exploit this by placing a manipulated parameter file that becomes active after a device reboot, potentially altering critical settings such as network configuration and application parameters. Additionally, through the AppEngine Fileaccess over HTTP, similar unauthorized read and write operations on sensitive filesystem areas are possible, including access to device parameter files and the execution of arbitrary Lua code within the AppEngine environment.

Impact

Exploitation of this vulnerability could lead to unauthorized access and modification of sensitive device settings and security-relevant data. In the case of CVE-2026-2331, this includes customer-defined passwords and the potential execution of arbitrary code in a sandboxed environment.

Remediation

Users are strongly recommended to upgrade to version 2.8.0. For Lector83x, this applies to versions <2.8.0 and those in the range >=2.6.0 <=2.7.0. For Lector85x, the same versioning guidance applies.