CVE-2020-25160 : What You Need to Know

B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus

Understanding CVE-2020-25160

This CVE involves improper access controls in B. Braun Melsungen AG's SpaceCom and Data module compactplus, potentially allowing attackers to extract and tamper with network configurations.

What is CVE-2020-25160?

CVE-2020-25160 highlights vulnerabilities in B. Braun Melsungen AG's SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus, enabling unauthorized access to network configurations.

The Impact of CVE-2020-25160

The vulnerability poses a medium severity risk with a CVSS base score of 6.8, allowing attackers to manipulate medical devices' network settings.

Technical Details of CVE-2020-25160

Vulnerability Description

The issue arises from improper access controls in SpaceCom Version L81/U61 and earlier, and Data module compactplus Versions A10 and A11, facilitating unauthorized network configuration access.

Affected Systems and Versions

SpaceCom: Versions L81/U61 and earlier
Battery Pack with Wi-Fi: Versions L81/U61 and earlier
Data module compactplus: Versions A10 and A11

Exploitation Mechanism

Attackers can exploit the vulnerability to extract and tamper with the network configurations of the affected devices.

Mitigation and Prevention

Immediate Steps to Take

Apply updates: SpaceCom - Version U62 or later (US), L82 or later (outside US)
Battery Pack SP with Wi-Fi - Version U62 or later (US), L82 or later (outside US)
Data module compactplus - Version A12 or later

Long-Term Security Practices

Protect the network: Ensure devices are not directly accessible from the Internet
Use a firewall: Isolate medical devices from the business network

Patching and Updates

Contact B. Braun for assistance and refer to the B. Braun Security Advisory for detailed information.