CVE-2022-43990 is a high-severity password recovery vulnerability affecting the SICK SIM1012 device, specifically part number 1098146 running firmware versions earlier than 2.2.0. The vulnerability stems from improper access control (CWE-306) in the password recovery mechanism, which allows an unprivileged remote attacker to invoke the recovery method and gain user-level access defined as RecoverableUserLevel. This unauthorized access effectively escalates the attacker's privileges on the system without requiring authentication or user interaction. The vulnerability impacts the confidentiality, integrity, and availability of the device by potentially allowing attackers to access sensitive information, modify system configurations, or disrupt normal operations. The vulnerability is remotely exploitable over the network with low attack complexity and no privileges required, making it particularly dangerous. The vendor has released a firmware update (version 2.2.0 or later) that addresses this issue, and immediate patching is recommended to mitigate the risk. No known exploits in the wild have been reported to date, but the repeatable nature of the exploit increases the risk of future attacks.

For European organizations, especially those in industrial automation, manufacturing, logistics, and critical infrastructure sectors that utilize SICK SIM1012 devices, this vulnerability poses a significant risk. The SIM1012 is commonly used for identification and automation tasks, and unauthorized access could lead to manipulation of device functions, leakage of sensitive operational data, or disruption of automated processes. This could result in operational downtime, safety hazards, and financial losses. Additionally, compromised devices could serve as entry points for lateral movement within corporate networks, increasing the risk of broader cyberattacks. Given the critical role of industrial control systems in European economies and infrastructure, exploitation of this vulnerability could have cascading effects on supply chains and service availability.

European organizations should immediately verify the firmware version of all deployed SICK SIM1012 devices and upgrade any with firmware versions below 2.2.0 to the latest available version from the SICK Support Portal. Network segmentation should be enforced to isolate these devices from untrusted networks and limit remote access only to authorized personnel and systems. Implement strict access controls and monitor network traffic for unusual activity targeting these devices. Additionally, organizations should review and harden their password recovery and authentication policies where applicable. Regular vulnerability assessments and penetration testing focusing on industrial control systems can help identify residual risks. Finally, maintain close communication with the vendor for any further advisories or patches.