Brightpick Mission Control / Internal Logic Control Missing Authentication for Critical Function
Summary
| CVE | CVE-2025-64307 |
|---|---|
| State | PUBLISHED |
| Assigner | icscert |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-11-15 00:15:47 UTC |
| Updated | 2026-06-25 23:17:02 UTC |
| Description | The Brightpick Internal Logic Control web interface is accessible without requiring user authentication. An unauthorized user could exploit this interface to manipulate robot control functions, including initiating or halting runners, assigning jobs, clearing stations, and deploying storage totes. |
Risk And Classification
Primary CVSS: v4.0 7.1 HIGH from [email protected]
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.002200000 probability, percentile 0.124230000 (date 2026-06-25)
Problem Types: CWE-306 | CWE-306 CWE-306
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 7.1 | HIGH | CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 7.1 | HIGH | CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| 3.1 | [email protected] | Secondary | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| 3.1 | CNA | CVSS | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
CVSS v4.0 Breakdown
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Brightpick AI | Brightpick Mission Control / Internal Logic Control | affected 1.67.0 custom | Not specified |
| CNA | Brightpick AI | Brightpick Mission Control / Internal Logic Control | unaffected 1.67.0 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| brightpick.ai/contact-us | [email protected] | brightpick.ai | |
| www.cisa.gov/news-events/ics-advisories/icsa-25-317-04 | [email protected] | www.cisa.gov | |
| github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-31... | [email protected] | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Souvik Kandar reported these vulnerabilities to CISA. (en)
Additional Advisory Data
Solutions
CNA: Brightpick AI has updated their backend in Mission Control to release 1.67.0 to mitigate these vulnerabilities as of February 04, 2026. Users running Mission Control 1.67.0 or later are mitigated.
CNA: Brightpick has introduced a reverse-proxy authentication layer inline between the public load balancer and the internal service. This vendor fix has been applied to all deployed instances.
Workarounds
CNA: Users of the affected products are encouraged to contact Brightpick AI https://brightpick.ai/contact-us/ for additional information.