9.3
CVE-2014-5406
- EPSS 1.24%
- Veröffentlicht 06.07.2015 19:59:00
- Zuletzt bearbeitet 06.05.2026 22:30:45
- Quelle ics-cert@hq.dhs.gov
- CVE-Watchlists
- Unerledigt
LoginHospira LifeCare PCA Infusion System
The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. NOTE: this issue might overlap CVE-2015-3459.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Hospira ≫ Lifecare Pcainfusion Firmware Version <= 5.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.24% | 0.653 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.3 | 8.6 | 10 |
AV:N/AC:M/Au:N/C:C/I:C/A:C
|
| ics-cert@hq.dhs.gov | 7.6 | 4.9 | 10 |
AV:N/AC:H/Au:N/C:C/I:C/A:C
|
CWE-345 Insufficient Verification of Data Authenticity
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm
https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01
https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2015/icsa-15-125-01.json
https://www.cisa.gov/news-events/ics-advisories/icsa-15-125-01