CVE-2025-64307

MEDIUM 6.5

Brightpick Mission Control / Internal Logic Control Missing Authentication for Critical Function

CVSS Score

6.5

EPSS Score

0.2%

EPSS Percentile

12th

The Brightpick Internal Logic Control web interface is accessible without requiring user authentication. An unauthorized user could exploit this interface to manipulate robot control functions, including initiating or halting runners, assigning jobs, clearing stations, and deploying storage totes.

CWE	CWE-306
Vendor	brightpick ai
Product	brightpick mission control / internal logic control
Published	Nov 14, 2025
Last Updated	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for brightpick ai brightpick mission control / internal logic control

Be the first to know when new medium vulnerabilities affecting brightpick ai brightpick mission control / internal logic control are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

Brightpick AI / Brightpick Mission Control / Internal Logic Control

0 < 1.67.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

brightpick.ai: https://brightpick.ai/contact-us/ cisa.gov: https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-04 github.com: https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-317-04.json

Credits

Souvik Kandar reported these vulnerabilities to CISA.