Home

Description

The Brightpick Internal Logic Control web interface is accessible without requiring user authentication. An unauthorized user could exploit this interface to manipulate robot control functions, including initiating or halting runners, assigning jobs, clearing stations, and deploying storage totes.

PUBLISHED Reserved 2025-10-29 | Published 2025-11-14 | Updated 2025-11-17 | Assigner icscert




MEDIUM: 6.5CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

HIGH: 7.1CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-306

Product status

Default status
unaffected

All versions
affected

Credits

Souvik Kandar reported these vulnerabilities to CISA. finder

References

brightpick.ai/contact-us/

www.cisa.gov/news-events/ics-advisories/icsa-25-317-04

github.com/...p/csaf_files/OT/white/2025/icsa-25-317-04.json

cve.org (CVE-2025-64307)

nvd.nist.gov (CVE-2025-64307)

Download JSON