PSA-007: Default Passwords for safety PLC

Last modified: 24 Sept 2025

CVE-2020-10276

Note

This Product Security Advisory is based on a thorough investigation and all findings that were available at the time of publication. Should new information on the matter become available, it is possible that the initial assessment changes and the Advisory will be updated.

Statement

We hereby inform that the following MiR products:

Product

Software version

MiR Robots

All

are affected by:

CVE

CVSS score

Customer Risk (MiR Score)

CVE-2020-10276

9.8

Critical

Overview

MiR robots shipped before June 2020 used to have default passwords set for the SICK safety PLC.

An attacker with access to the internal network of the robot could use the default credentials to manipulate the safety PLC, effectively disabling the emergency stop function.

This vulnerability is especially critical in combination with CVE-2020-10269, which could be used to gain access to the internal robot network through the robot-hosted wireless network.

References

NIST NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2020-10276

Mitigations

  • All MiR robots shipped from June 2020 onwards are configured with unique passwords for the SICK PLC. Printed paper with the unique password is provided with the robot.

Recommended Actions

  • If your robot was shipped before June 2020, please change the password for the SICK PLC as described in the product service note “Improve the IT security of MiR products” available on the MiR Support Portal.

Revision history

Date

Description

2025-09-24

Revised as part of a webpage update

2022-08-11

Document name and visual update

2021-05-27

Initial Advisory publication