CVE-2021-43935

ICSMA-21-343-01 Hillrom Welch Allyn Cardio Products

CVSS 8.1 HIGHEPSS 1.1%CWE-288

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.1EPSS 1.1%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

15 Dec 2021Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The impacted products, when configured to use SSO, are affected by an improper authentication vulnerability. This vulnerability allows the application to accept manual entry of any active directory (AD) account provisioned in the application without supplying a password, resulting in access to the application as the supplied AD account, with all associated privileges.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Hillrom · Welch Allyn Connex Cardio Hillrom · Welch Allyn Diagnostic Cardiology Suite Hillrom · Welch Allyn H-Scribe Holter Analysis System Hillrom · Welch Allyn Q-Stress Cardiac Stress Testing System Hillrom · Welch Allyn R-Scribe Resting ECG System Hillrom · Welch Allyn Vision Express Hillrom · Welch Allyn X-Scribe Cardiac Stress Testing System

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.cisa.gov/uscert/ics/advisories/icsma-21-343-01