CVE-2020-25168

B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus

CVSS 3.3 LOWEPSS 0.2%CWE-798

In short

B. Braun medical devices contain fixed login credentials in their code that cannot be changed. An attacker with command line access to the device can use these credentials to access and control the Wi-Fi module.

Technical detail

Hard-coded credentials in SpaceCom (L81/U61 and earlier) and Data module compactplus (A10, A11) allow authenticated command-line access to compromise the Wi-Fi module. Attack vector requires local access; impact includes unauthorized wireless module control and potential network exposure.

Summary generated and translated by AI from the official description.

Hard-coded credentials in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enable attackers with command line access to access the device’s Wi-Fi module.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected products

B. Braun Melsungen AG · Battery pack with Wi-Fi B. Braun Melsungen AG · Data module compactplus B. Braun Melsungen AG · SpaceCom

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02