Brightpick Mission Control CVE-2025-64308
HIGHSeverity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Adjacent-network access serves the JS bundle to any client with no auth or interaction (AV:A/AC:L/PR:N/UI:N); impact is pure credential disclosure, so C:H, I:N, A:N.
Primary rating from Vendor (hq).
CVSS VectorVendor: hq
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
The Brightpick Mission Control web application exposes hardcoded credentials in its client-side JavaScript bundle.
AnalysisAI
Credential disclosure in the Brightpick Mission Control web application allows anyone able to retrieve the application's client-side JavaScript bundle to extract hardcoded credentials embedded in that code. Because the secrets ship to the browser, any user or adjacent-network actor who loads the front-end can recover them and potentially authenticate to back-end services in this warehouse-automation/ICS-OT product. Reported by CISA ICS-CERT (ICSA-25-317-04); no public exploit has been identified and EPSS exploitation probability is very low (0.06%, 17th percentile).
Technical ContextAI
Brightpick Mission Control is the web-based control interface for Brightpick's autonomous warehouse fulfillment robots and operations, placing it in the OT/ICS domain. The flaw is classified as CWE-523 (Unprotected Transport of Credentials): credentials are baked directly into the client-side JavaScript bundle that the server delivers to every browser. Client-side bundles are fully recoverable by any client - viewing source, opening browser dev tools, or downloading and de-minifying the JS - so embedding secrets there is functionally equivalent to publishing them to all users of the application. The CVSS 4.0 metrics (VC:H, VI:N, VA:N) characterize the impact as a pure confidentiality loss of the embedded secret rather than direct integrity or availability damage.
Affected ProductsAI
The affected product is the Brightpick Mission Control web application as described in CISA ICS advisory ICSA-25-317-04 (https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-04 and the machine-readable CSAF at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-04.json). No specific affected version range or CPE string is provided in the available NVD data, and the vendor contact reference (https://brightpick.ai/contact-us/) does not enumerate fixed builds; exact affected versions should be confirmed via the CISA advisory and direct vendor contact.
RemediationAI
No vendor-released patch version is identified in the available data; consult CISA advisory ICSA-25-317-04 (https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-04) and contact Brightpick (https://brightpick.ai/contact-us/) for an updated build that removes the embedded secrets. The definitive fix requires the vendor to strip credentials from the client-side bundle and move authentication server-side; operators cannot fully remediate this themselves. As compensating controls until a fixed build is deployed: rotate/revoke the exposed credentials and any back-end accounts they unlock (note: rotation only helps if the new secrets are not re-embedded in the shipped JS); restrict network access to Mission Control to a dedicated, segmented OT VLAN and trusted management hosts only, reducing the AV:A exposure (trade-off: may complicate legitimate remote operator access); and place the application behind an authenticating reverse proxy or VPN so the JS bundle is not served to untrusted clients (trade-off: added operational overhead and does not protect against insider/adjacent access).
Same weakness CWE-523 – Unprotected Transport of Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today