CVE-2026-2330 - Vulnerability Analysis
CriticalCVSS: 9.4Last Updated: March 6, 2026
CROWN - Broken Access Control
Published: March 6, 2026Updated: March 6, 2026Remote Exploitable
Overview
CROWN device contains a broken access control caused by incomplete whitelist enforcement in the REST interface, letting unauthenticated attackers modify critical device settings after reboot, exploit requires no authentication.
Severity & Score
Severity: Critical
CVSS Score: 9.4
Impact
Unauthenticated attackers can modify critical device settings, potentially disrupting network and application configurations.
Mitigation
Update to the latest version with proper whitelist enforcement.
References
- https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
- https://www.first.org/cvss/calculator/3.1
- https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0006.json
- https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0006.pdf
- https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf
- https://www.sick.com/psirt
Related Resources
Details
- CVE ID
- CVE-2026-2330
- Severity
- Critical
- CVSS Score
- 9.4
- Type
- broken_access_control
- Status
- new
CWE
- CWE-552
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H