CVE-2025-32472 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting all versions of the SICK AG multiScan1XX product line, including multiScan and picoScan devices. These devices are industrial sensors commonly used in automation, manufacturing, and logistics for object detection and measurement. The vulnerability allows a remote attacker to perform a denial-of-service (DoS) attack by exploiting the device's web interface with a Slowloris-type attack. Slowloris attacks work by opening multiple HTTP connections to the target and keeping them alive by sending partial requests slowly, thereby exhausting the server's connection pool and resources. This results in the web interface becoming unresponsive, effectively denying legitimate users access to the device's management or monitoring functions. The vulnerability requires no authentication or user interaction and can be executed remotely over the network. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact is limited to availability (A:L), with no confidentiality or integrity impact. No known exploits are currently reported in the wild, and no patches have been published yet. Given the nature of the devices and the vulnerability, the attack targets the device's web server component, which likely has limited resources, making it susceptible to resource exhaustion attacks like Slowloris.

For European organizations, the impact of this vulnerability can be significant in sectors relying on SICK multiScan1XX devices for critical automation and safety functions, such as manufacturing plants, logistics hubs, and industrial facilities. A successful DoS attack could disrupt operational monitoring and control, leading to downtime, reduced productivity, and potential safety risks if sensor data is unavailable or delayed. While the vulnerability does not directly compromise data confidentiality or integrity, the loss of availability can cascade into operational inefficiencies and increased risk of accidents or process failures. Organizations with large-scale deployments of these sensors may experience amplified effects, especially if the devices are integrated into centralized monitoring systems. The lack of authentication requirement means attackers can launch attacks without prior access, increasing the threat surface. Additionally, the unavailability of patches necessitates interim mitigation measures to maintain operational continuity.

Implement network-level protections such as rate limiting and connection throttling on firewalls or intrusion prevention systems (IPS) to detect and block Slowloris-style attacks targeting the devices' web interfaces. Isolate SICK multiScan1XX devices on segmented network zones with restricted access, limiting exposure to untrusted networks and reducing the attack surface. Deploy web application firewalls (WAF) or reverse proxies configured to handle and mitigate slow HTTP attacks by enforcing connection timeouts and limiting concurrent connections per client IP. Monitor network traffic for unusual patterns indicative of Slowloris attacks, such as numerous half-open HTTP connections from single sources, and establish alerting mechanisms. Engage with SICK AG for updates on patches or firmware upgrades addressing this vulnerability and plan for timely deployment once available. Consider disabling or restricting access to the web management interface if remote management is not necessary, or use VPNs and strong authentication mechanisms to control access. Regularly audit and update network device configurations to ensure minimal exposure of industrial sensors to public or unsecured networks.