Brightpick AI’s warehouse automation software is under examination after researchers discovered a number of critical flaws in Brightpick Mission Control and Internal Logic Control. These vulnerabilities, which are now classified as three CVEs, might enable attackers to get remote access, examine sensitive data, and potentially influence robotic functions within automated warehouse systems.
The severity is notable: the vulnerabilities collectively have a CVSS v4 high score of 8.7 and are exploitable with low complexity, implying that real-world assaults would be reasonably simple to carry out.
Why This Matters
Brightpick’s solutions are used in industries that require high availability, precision, and safety, such as commercial buildings, healthcare, and manufacturing. Mission Control is at the heart of the automation process, managing robots, runners, totes, and job queues.
Any flaw in authentication or credential processing immediately affects warehouse operations and, in the worst-case scenario, might disrupt entire logistical workflows..
1. Robot Control Features Accessible With No Login (CVE-2025-64307)
One of the most serious problems lies in the Internal Logic Control web interface, which apparently allows users to access critical robot-control functions without any authentication.
Anyone on the network could:
- Start or stop warehouse runners
- Assign or modify tasks
- Clear stations
- Deploy or move storage totes
This is essentially giving an intruder a remote control for warehouse robots.
The flaw scored 7.1 on CVSS v4, putting it in the high-severity range.
2. Hardcoded Credentials Inside the Web App (CVE-2025-64308)
The second issue involves credentials embedded directly inside the client-side JavaScript bundle.
A simple inspection of the browser’s developer tools is enough to extract them.
Since no interaction or privileges are needed, this vulnerability scored 8.7 on CVSS v4.
Depending on how these credentials are used, this could provide direct access to admin panels, APIs, or backend services.
3. Sensitive Telemetry Leaking Over Unauthenticated WebSocket (CVE-2025-64309)
Another vulnerability exposes internal device telemetry, configuration details, and even credentials through an unauthenticated WebSocket endpoint.
The concerning part?
The vulnerable URL can be found through basic network scanning, meaning virtually anyone on the network could stumble upon it.
This issue earned a CVSS v4 score of 8.2, reflecting its potential to leak high-value information.
Who Is Affected?
These vulnerabilities impact all versions of:
- Brightpick Mission Control
- Brightpick Internal Logic Control
Deployments exist worldwide across:
- Commercial facilities
- Manufacturing sites
- Healthcare logistics
- Large warehouse operations
Brightpick AI is headquartered in Slovakia, and the product has global presence across critical industries.
Vendor Status
As of this advisory, Brightpick AI has not responded to requests to coordinate fixes.
Users relying on Mission Control should take this seriously and begin applying defensive controls immediately.
Mitigations
Until Brightpick provides patches or guidance, organizations should strengthen their environments through compensating controls. Recommended steps include:
Keep Mission Control off public networks: Do NOT expose these systems directly to the internet.
Put robot control systems behind firewalls: Separate them from corporate business networks.
If remote access is required, use a VPN: Ensure it’s patched and secure — and remember that compromised VPN endpoints still pose risk.
Monitor for unusual WebSocket activity: Since one of the flaws leaks data through WebSocket traffic, monitoring is crucial.
Perform a risk review: ICS and automation networks must undergo a quick impact assessment to determine exposure points.
Conclusion
These vulnerabilities underline a recurring theme in industrial and automation environments:
authentication and credential security are too often overlooked.
With more warehouses relying on automation and robotics, security issues in platforms like Mission Control can have real operational consequences — from downtime and lost revenue to potential safety hazards.
Organizations using Brightpick Mission Control should act now, tighten their network boundaries, and monitor systems closely while awaiting vendor patches.