Skip to main content

Brightpick Mission Control CVE-2025-64308

HIGH
Unprotected Transport of Credentials (CWE-523)
2025-11-15 ics-cert@hq.dhs.gov
7.1
CVSS 4.0 · Vendor: hq
Share

Severity by source

Vendor (hq) PRIMARY
7.1 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Adjacent-network access serves the JS bundle to any client with no auth or interaction (AV:A/AC:L/PR:N/UI:N); impact is pure credential disclosure, so C:H, I:N, A:N.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (hq).

CVSS VectorVendor: hq

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 25, 2026 - 23:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 25, 2026 - 23:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 25, 2026 - 23:22 vuln.today
cvss_changed
CVSS changed
Jun 25, 2026 - 23:22 NVD
8.7 (HIGH) 7.1 (HIGH)
Analysis Generated
Mar 28, 2026 - 19:22 vuln.today
CVE Published
Nov 15, 2025 - 00:15 nvd
HIGH 8.7

DescriptionCVE.org

The Brightpick Mission Control web application exposes hardcoded credentials in its client-side JavaScript bundle.

AnalysisAI

Credential disclosure in the Brightpick Mission Control web application allows anyone able to retrieve the application's client-side JavaScript bundle to extract hardcoded credentials embedded in that code. Because the secrets ship to the browser, any user or adjacent-network actor who loads the front-end can recover them and potentially authenticate to back-end services in this warehouse-automation/ICS-OT product. Reported by CISA ICS-CERT (ICSA-25-317-04); no public exploit has been identified and EPSS exploitation probability is very low (0.06%, 17th percentile).

Technical ContextAI

Brightpick Mission Control is the web-based control interface for Brightpick's autonomous warehouse fulfillment robots and operations, placing it in the OT/ICS domain. The flaw is classified as CWE-523 (Unprotected Transport of Credentials): credentials are baked directly into the client-side JavaScript bundle that the server delivers to every browser. Client-side bundles are fully recoverable by any client - viewing source, opening browser dev tools, or downloading and de-minifying the JS - so embedding secrets there is functionally equivalent to publishing them to all users of the application. The CVSS 4.0 metrics (VC:H, VI:N, VA:N) characterize the impact as a pure confidentiality loss of the embedded secret rather than direct integrity or availability damage.

Affected ProductsAI

The affected product is the Brightpick Mission Control web application as described in CISA ICS advisory ICSA-25-317-04 (https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-04 and the machine-readable CSAF at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-04.json). No specific affected version range or CPE string is provided in the available NVD data, and the vendor contact reference (https://brightpick.ai/contact-us/) does not enumerate fixed builds; exact affected versions should be confirmed via the CISA advisory and direct vendor contact.

RemediationAI

No vendor-released patch version is identified in the available data; consult CISA advisory ICSA-25-317-04 (https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-04) and contact Brightpick (https://brightpick.ai/contact-us/) for an updated build that removes the embedded secrets. The definitive fix requires the vendor to strip credentials from the client-side bundle and move authentication server-side; operators cannot fully remediate this themselves. As compensating controls until a fixed build is deployed: rotate/revoke the exposed credentials and any back-end accounts they unlock (note: rotation only helps if the new secrets are not re-embedded in the shipped JS); restrict network access to Mission Control to a dedicated, segmented OT VLAN and trusted management hosts only, reducing the AV:A exposure (trade-off: may complicate legitimate remote operator access); and place the application behind an authenticating reverse proxy or VPN so the JS bundle is not served to untrusted clients (trade-off: added operational overhead and does not protect against insider/adjacent access).

Share

CVE-2025-64308 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy