#VU91254 Use of Default Cryptographic Key in Welch Allyn Connex Spot Monitor (CSM) - CVE-2024-1275

Cybersecurity Help s.r.o.

Published: 2024-06-06

Vulnerability identifier: #VU91254

Vulnerability risk: Medium

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-1275

CWE-ID: CWE-1394

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Welch Allyn Connex Spot Monitor (CSM)
Hardware solutions / Firmware

Vendor: Hill-Rom Services

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to use of default cryptographic key for potentially critical functionality. A remote attacker can modify device configurations and firmware data, resulting in impact and/or delay in patient care.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Welch Allyn Connex Spot Monitor (CSM): 1.52

External links
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-151-02

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Use of Default Cryptographic Key in Baxter Welch Allyn Connex Spot Monitor