Brightpick Mission Control / Internal Logic Control

Plan PatchCVSS 8.6ICS-CERT ICSA-25-317-04Nov 13, 2025

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Brightpick Mission Control and Internal Logic Control (all versions) contain authentication bypass and insecure direct object reference vulnerabilities (CWE-306, CWE-523) that could allow unauthenticated attackers to access sensitive information and manipulate critical warehouse automation functions. Brightpick AI has not responded to CISA coordination requests and has not indicated plans to develop patches.

What this means

What could happen

An attacker with network access to Brightpick Mission Control could extract sensitive information or manipulate critical warehouse automation logic, potentially disrupting picking operations or exposing proprietary configurations.

Who's at risk

Organizations operating Brightpick warehouse automation systems (all versions) should prioritize this issue. Affected users include fulfillment centers, e-commerce logistics providers, and any facility using Brightpick Mission Control for order picking operations. The vulnerability poses direct risk to the confidentiality of warehouse configurations and potentially the integrity of picking logic.

How it could be exploited

An attacker on the same network segment as the Mission Control system could send requests that bypass authentication checks (CWE-306) or exploit insecure direct object references (CWE-523) to access restricted functions and configuration data without valid credentials. No exploitation is currently known in the wild, but the lack of vendor response and no planned patch increases risk if attackers develop public exploits.

Prerequisites

Network access to the Brightpick Mission Control system port or API interface
No valid credentials required

remotely exploitableno authentication requiredlow complexityno patch availablevendor unresponsive

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Brightpick Mission Control / Internal Logic Control: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

WORKAROUNDRestrict network access to Brightpick Mission Control systems by placing them behind a firewall and blocking inbound connections from the Internet and untrusted business networks

WORKAROUNDIf remote access to Mission Control is required, enforce connections only through a VPN and restrict VPN access to named engineering personnel with time-limited sessions

WORKAROUNDDisable any remote access or API endpoints on Mission Control that are not actively required for operations

Mitigations - no patch available

0/1

Brightpick Mission Control / Internal Logic Control: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate the Mission Control system on a dedicated network segment separate from corporate IT networks, with controlled access points monitored for anomalous traffic

CVEs (3)

CVE-2025-64307 CVE-2025-64308 CVE-2025-64309

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d3b04407-cd6a-47dd-bd06-27b73a707180

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.