Type Medical Device Software

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

Vendor »

Identifying all affected vendors is a good starting point for an overview. This makes it possible to determine an homogeneous landscape or the most important hotspots in heterogeneous landscapes.

Product »

Grouping vulnerabilities by products helps to get an overview. This makes it possible to determine an homogeneous landscape or the most important hotspots in heterogeneous landscapes.

Remediation »

Vendors and researchers are eager to find countermeasures to mitigate security vulnerabilities. These can be distinguished between multiple forms and levels of remediation which influence risks differently.

Exploitability »

Researcher and attacker which are looking for security vulnerabilities try to exploit them for academic purposes or personal gain. The level and quality of exploitability can be distinguished to determine simplicity and strength of attacks.

Access Vector »

The approach a vulnerability it becomes important to use the expected access vector. This is typically via the network, local, or physically even.

Authentication »

To exploit a vulnerability a certail level of authentication might be required. Vulnerabilities without such a requirement are much more popular.

User Interaction »

Some attack scenarios require some user interaction by a victim. This is typical for phishing, social engineering and cross site scripting attacks.

C3BM Index »

Our unique C3BM Index (CVSSv3 Base Meta Index) cumulates the CVSSv3 Meta Base Scores of all entries over time. Comparing this index to the amount of disclosed vulnerabilities helps to pinpoint the most important events.

CVSSv3 Base »

The Common Vulnerability Scoring System (CVSS) is an industry standard to define the characteristics and impacts of security vulnerabilities. The base score represents the intrinsic aspects that are constant over time and across user environments. Our unique meta score merges all available scores from different sources to aggregate to the most reliable result.

CVSSv3 Temp »

The Common Vulnerability Scoring System (CVSS) uses temp scores to reflect the characteristics of a vulnerability that may change over time but not across user environments. This includes reporting confidence, exploitability and remediation levels. We do also provide our unique meta score for temp scores, even though other sources rarely publish them.

VulDB »

The moderation team is always defining the base vector and base score for an entry. These and all other available scores are used to generate the meta score.

NVD »

The National Vulnerability Database (NVD) is also defining CVSS vectors and scores. These are usually not complete and might differ from VulDB scores.

Vendor »

Some vendors are willing to publish their own CVSS vectors and scores for vulnerabilities in their products. The coverage varies from vendor to vendor.

Research »

There are sometimes also security researcher which provide their own CVSS vectors and scores for vulnerabilities they have found and published.

Exploit 0-day »

The moderation team is working with the threat intelligence team to determine prices for exploits. Our unique algorithm is used to identify the 0-day prices for an exploit, before it got distributed or became public. Calculated prices are aligned to prices disclosed by vulnerability broker and compared to prices we see on exploit markets.

Exploit Today »

The 0-day prices do not consider time-relevant factors. The today price does reflect price impacts like disclosure of vulnerability details, alternative exploits, availability of countermeasures. These dynamic aspects might decrease the exploit prices over time. Under certain circumstances this happens very fast.

Exploit Market Volume »

Our unique calculation of exploit prices makes it possible to forecast the expected exploit market volume. The calculated prices for all possible 0-day expoits are cumulated for this task. Comparing the volume to the amount of disclosed vulnerabilities helps to pinpoint the most important events.

🔴 CTI Activities »

Our unique Cyber Threat Intelligence aims to determine the ongoing research of actors to anticipiate their acitivities. Observing exploit markets on the Darknet, discussions of vulnerabilities on mailinglists, and exchanges on social media makes it possible to identify planned attacks. Monitored actors and activities are classified whether they are offensive or defensive. They are also weighted as some actors are well-known for certain products and technologies. And some of their disclosures might contain more or less details about technical aspects and personal context. The world map highlights active actors in real-time.

Affected Products (107): Baxter SIGMA Spectrum Infusion System, Baxter Spectrum Infusion System, BD Alaris 8015 PC Unit, BD Alaris 8015 Point of Care, BD Alaris CC, BD Alaris Gateway, BD Alaris Gateway Workstation, BD Alaris GH, BD Alaris GS, BD Alaris Systems Manager, BD Alaris TIVA, BeaconMedaes Scroll Medical Air Systems, BMC Medical Luna CPAP Machines, Dräger Infinity Delta, Dräger Infinity Delta XL, Dräger Infinity Explorer C700, Dräger Infinity Kappa, GE Healthcare CADStream Server, GE Healthcare Centricity Analytics Server, GE Healthcare Centricity Clinical Archive Audit Trail Repository, GE Healthcare Centricity DMS, GE Healthcare Centricity Image Vault, GE Healthcare Centricity PACS, GE Healthcare Centricity PACS-IW, GE Healthcare Centricity PACS Workstation, GE Healthcare Discovery 530C, GE Healthcare Discovery NM 750b, GE Healthcare Discovery VH, GE Healthcare Discovery XR656, GE Healthcare Discovery XR656 G2, GE Healthcare eNTEGRA P, GE Healthcare Infinia II, GE Healthcare Millennium, GE Healthcare Optima, GE Healthcare Optima MR360, GE Healthcare Precision MPi, GE Healthcare Precision THUNIS-800+, GE Healthcare Revolution XQi, GE R, GE Voluson S8, GE Healthcare AW, GE Healthcare BrightSpeed, GE Healthcare Brivo, GE Healthcare DiscoveryRevolution EVO, GE Healthcare EchoPAC, GE Healthcare Image Vault, GE Healthcare Infina, GE Healthcare Innova, GE Healthcare LOGIQ, GE Healthcare Optima, GE Healthcare PETrace, GE Healthcare PET Discovery IQ, GE Healthcare Signa, GE Healthcare Ventri, GE Healthcare Vivid, GE Healthcare Voluson, GE Healthcare Xeleris, Hamilton Medical T1-Ventillator, Hospira Lifecare PCA Infusion Pump, Hospira LifeCare PCA Infusion System, Hospira Plum A+3 Infusion System, Hospira Plum A+ Infusion System, Hospira Symbiq Infusion System, Infusionsoft Gravity Forms, IntelliVue Patient Monitor, IP Infusion OcNOS, IP Infusion ZebOS, iTriage Health, Kinfusion Com Sportfusion, Medical Center Columbia WebSite, Medical Devices, Medtronic 24950 MyCareLink Monitor, Medtronic 24952 MyCareLink Monitor, Medtronic MyCareLink Patient Monitor, Medtronic Paradigm wireless insulin pump, Medtronic Smart Model 25000 Patient Reader, Oracle Healthcare Analytics Data Integration, Oracle Healthcare Data Repository, Oracle Healthcare Foundation, Oracle Healthcare Master Person Index, Oracle Healthcare Translational Research, Oracle Health Sciences Argus Safety, Oracle Health Sciences Clinical Development Center, Oracle Health Sciences Data Management Workbench, Oracle Health Sciences Empirica Inspections, Oracle Health Sciences Empirica Signal, Oracle Health Sciences Empirica Study, Oracle Health Sciences InForm, Oracle Health Sciences Information Manager, PacerCMS, Philips e-Alert Unit, Philips IntelliSpace Cardiovascular, Philips IntelliSpace PACS, Philips IntelliSpace Portal, Philips IntelliVue Patient Monitor, Philips iSite, Philips iSite PACS, Philips Patient Information Center iX, Philips PerformanceBridge Focal Point, Philips Xcelera, Smiths-Medical Medfusion 4000 Wireless Syringe Infusion Pump, SOOIL AnyDana-A, SOOIL AnyDana-i, SOOIL DiabecareRS, SOOIL Diabecare RS, St. Jude Medical Merlin@home, Vyaire Medical CareFusion Upgrade Utility

PublishedBaseTempVulnerabilityProdExpRemCTICVE
03/16/20213.33.3Hamilton Medical T1-Ventillator Configuration Interface information disclosureT1-VentillatorNot DefinedNot Defined0.06CVE-2020-27290
03/16/20213.33.3Hamilton Medical T1-Ventillator XML Validation denial of serviceT1-VentillatorNot DefinedNot Defined0.07CVE-2020-27282
03/16/20214.74.7Hamilton Medical T1-Ventillator Configuration Interface hard-coded credentialsT1-VentillatorNot DefinedNot Defined0.07CVE-2020-27278
01/20/20215.14.9SOOIL Diabecare RS/AnyDana-i/AnyDana-A Bluetooth LE authentication replayDiabecare RS/AnyDana-i/AnyDana-ANot DefinedOfficial Fix0.00CVE-2020-27269
01/20/20215.45.1SOOIL Diabecare RS/AnyDana-i/AnyDana-A Bluetooth LE improper authenticationDiabecare RS/AnyDana-i/AnyDana-ANot DefinedOfficial Fix0.06CVE-2020-27266
01/20/20216.56.2SOOIL Diabecare RS/AnyDana-i/AnyDana-A Bluetooth LE random valuesDiabecare RS/AnyDana-i/AnyDana-ANot DefinedOfficial Fix0.07CVE-2020-27264
01/20/20215.45.1SOOIL Diabecare RS/AnyDana-i/AnyDana-A Bluetooth LE insufficiently protected credentialsDiabecare RS/AnyDana-i/AnyDana-ANot DefinedOfficial Fix0.07CVE-2020-27258
01/20/20215.55.3SOOIL Diabecare RS/AnyDana-i/AnyDana-A Physician Menu hard-coded credentialsDiabecare RS/AnyDana-i/AnyDana-ANot DefinedOfficial Fix0.06CVE-2020-27256
01/20/20213.93.7SOOIL DiabecareRS/AnyDana-i/AnyDana-A Bluetooth LE authentication spoofingDiabecareRS/AnyDana-i/AnyDana-ANot DefinedOfficial Fix0.00CVE-2020-27276
01/20/20213.93.7SOOIL DiabecareRS/AnyDana-i/AnyDana-A Bluetooth LE inadequate encryptionDiabecareRS/AnyDana-i/AnyDana-ANot DefinedOfficial Fix0.09CVE-2020-27272
01/20/20213.83.7SOOIL DiabecareRS/AnyDana-i/AnyDana-A Bluetooth LE insufficiently protected credentialsDiabecareRS/AnyDana-i/AnyDana-ANot DefinedOfficial Fix0.00CVE-2020-27270
12/15/20205.35.3GE Healthcare Signa credentials managementSigna/Brivo/Optima/LOGIQ/Vivid/EchoPAC/Image Vault/Voluson/Innova/AW/BrightSpeed/DiscoveryRevolution EVO/Infina/Ventri/Xeleris/PET Discovery IQ/PETraceNot DefinedNot Defined0.04CVE-2020-25179
12/15/20203.73.7GE Healthcare Signa cleartext transmissionSigna/Brivo/Optima/LOGIQ/Vivid/EchoPAC/Image Vault/Voluson/Innova/AW/BrightSpeed/DiscoveryRevolution EVO/Infina/Ventri/Xeleris/PET Discovery IQ/PETraceNot DefinedNot Defined0.00CVE-2020-25175
12/13/20209.69.2Medtronic Smart Model 25000 Patient Reader Update System toctouSmart Model 25000 Patient ReaderNot DefinedOfficial Fix0.05CVE-2020-27252
12/13/20208.88.4Medtronic Smart Model 25000 Patient Reader Debug Command heap-based overflowSmart Model 25000 Patient ReaderNot DefinedOfficial Fix0.05CVE-2020-25187
12/13/20205.55.3Medtronic Smart Model 25000 Patient Reader App Authentication improper authenticationSmart Model 25000 Patient ReaderNot DefinedNot Defined0.00CVE-2020-25183
11/13/20207.47.4BD Alaris 8015 PC Unit/Alaris Systems Manager improper authenticationAlaris 8015 PC Unit/Alaris Systems ManagerNot DefinedNot Defined0.04CVE-2020-25165
10/20/20206.15.8Oracle Healthcare Foundation Admin Console cross site scriptingHealthcare FoundationNot DefinedOfficial Fix0.00CVE-2020-11022
10/20/20209.89.4Oracle Healthcare Data Repository Database Module Remote Code ExecutionHealthcare Data RepositoryNot DefinedOfficial Fix0.06CVE-2020-2555
10/20/20209.89.4Oracle Health Sciences Empirica Signal User Interface xml external entity referenceHealth Sciences Empirica SignalNot DefinedOfficial Fix0.04CVE-2020-10683
10/20/202010.09.5Oracle Healthcare Foundation Self Service Analytics input validationHealthcare FoundationNot DefinedOfficial Fix0.06CVE-2020-1953
09/11/20205.45.4Philips Patient Information Center iX Message Parser denial of servicePatient Information Center iX/PerformanceBridge Focal Point/IntelliVue Patient MonitorNot DefinedNot Defined0.05CVE-2020-16224
09/11/20204.34.3Philips Patient Information Center iX Certificate Enrollment Service denial of servicePatient Information Center iX/PerformanceBridge Focal Point/IntelliVue Patient MonitorNot DefinedNot Defined0.06CVE-2020-16220
09/11/20205.45.4Philips Patient Information Center iX input validationPatient Information Center iX/PerformanceBridge Focal Point/IntelliVue Patient MonitorNot DefinedNot Defined0.00CVE-2020-16216
09/11/20205.55.5Philips Patient Information Center iX Surveillance Station exposure of resourcePatient Information Center iX/PerformanceBridge Focal Point/IntelliVue Patient MonitorNot DefinedNot Defined0.08CVE-2020-16212

Interested in the pricing of exploits?

See the underground prices here!