CVE-2022-27581 is a vulnerability identified in the firmware of SICK RFU61x devices, specifically in versions prior to 2.25. The issue stems from the use of broken or risky cryptographic algorithms (CWE-327) within the SSH interface of the device firmware. When a user explicitly requests weak cipher suites for encryption during SSH sessions, a low-privileged remote attacker can exploit this weakness to decrypt encrypted data transmitted over the SSH connection. This vulnerability does not require user interaction and can be exploited remotely over the network with low privileges, making it a network-exploitable cryptographic weakness. The vulnerability affects confidentiality but does not impact integrity or availability of the system. The CVSS v3.1 score is 6.5 (medium severity), reflecting the ease of network exploitation (AV:N), low attack complexity (AC:L), and the requirement for low privileges (PR:L), but no user interaction (UI:N). The scope remains unchanged (S:U), and the impact is high on confidentiality (C:H) but none on integrity (I:N) or availability (A:N). The root cause is the allowance of weak cipher suites in the SSH configuration, which can be requested by users, leading to the use of cryptographically insecure algorithms that can be broken by attackers to decrypt sensitive data. The vendor has released a firmware update (version 2.25 or later) that patches this vulnerability, and installation instructions are available through official SICK customer contacts. There are no known exploits in the wild at this time.

For European organizations using SICK RFU61x devices, particularly in industrial automation, manufacturing, and logistics sectors where these devices are commonly deployed for RFID and sensor applications, this vulnerability poses a risk to the confidentiality of sensitive operational data transmitted via SSH. An attacker exploiting this flaw could decrypt sensitive configuration data, operational commands, or authentication credentials, potentially enabling further lateral movement or reconnaissance within the network. Although the vulnerability does not directly affect system integrity or availability, the exposure of confidential data could lead to industrial espionage, intellectual property theft, or preparation for more damaging attacks. Given the critical role of SICK devices in automation and safety systems, compromised confidentiality could indirectly affect operational reliability and safety. The medium severity rating suggests that while the risk is not critical, it is significant enough to warrant prompt remediation to prevent escalation or exploitation in targeted attacks.

1. Immediate firmware upgrade to version 2.25 or later on all affected SICK RFU61x devices to eliminate the use of weak cipher suites. 2. Audit and restrict SSH configurations to disallow weak or deprecated cipher suites explicitly, ensuring only strong, modern cryptographic algorithms are permitted. 3. Implement network segmentation and access controls to limit SSH access to trusted management networks and authorized personnel only. 4. Monitor SSH session logs for unusual cipher suite negotiation or unauthorized access attempts. 5. Conduct regular vulnerability assessments on industrial control systems to detect outdated firmware or insecure configurations. 6. Coordinate with SICK customer support for official patch deployment procedures and verify successful installation across all devices. 7. Educate operational technology (OT) and security teams about the risks of weak cryptography and enforce policies against enabling weak cipher suites even if requested by users.