Search

Find a vulnerability

Search criteria

    22 vulnerabilities found for Data module compactplus by B. Braun Melsungen AG

    CVE-2020-25168 (GCVE-0-2020-25168)

    Vulnerability from nvd – Published: 2022-04-14 20:06 – Updated: 2025-04-16 16:29
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    Hard-coded credentials in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enable attackers with command line access to access the device’s Wi-Fi module.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.000Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25168",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:09.627996Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:29:29.444Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hard-coded credentials in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enable attackers with command line access to access the device\u2019s Wi-Fi module."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798: Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:06:00.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25168",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Hard-coded credentials in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enable attackers with command line access to access the device\u2019s Wi-Fi module."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-798: Use of Hard-coded Credentials"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25168",
        "datePublished": "2022-04-14T20:06:00.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:29:29.444Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25166 (GCVE-0-2020-25166)

    Vulnerability from nvd – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:29
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    An improper verification of the cryptographic signature of firmware updates of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to generate valid firmware updates with arbitrary content that can be used to tamper with devices.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.204Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25166",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:19.378844Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:29:44.744Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An improper verification of the cryptographic signature of firmware updates of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to generate valid firmware updates with arbitrary content that can be used to tamper with devices."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:59.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25166",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An improper verification of the cryptographic signature of firmware updates of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to generate valid firmware updates with arbitrary content that can be used to tamper with devices."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-347: Improper Verification of Cryptographic Signature"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25166",
        "datePublished": "2022-04-14T20:05:59.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:29:44.744Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25164 (GCVE-0-2020-25164)

    Vulnerability from nvd – Published: 2022-04-14 20:06 – Updated: 2025-04-16 16:29
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to recover user credentials of the administrative interface.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-759 - Use of a One-Way Hash without a Salt
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:09.576Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25164",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:15.208760Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:29:36.723Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to recover user credentials of the administrative interface."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-759",
                  "description": "CWE-759: Use of a One-Way Hash without a Salt",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:06:00.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25164",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to recover user credentials of the administrative interface."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-759: Use of a One-Way Hash without a Salt"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25164",
        "datePublished": "2022-04-14T20:06:00.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:29:36.723Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25162 (GCVE-0-2020-25162)

    Vulnerability from nvd – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:29
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate privileges.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.163Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25162",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:57:38.755895Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:29:59.860Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate privileges."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-643",
                  "description": "CWE-643: XPath Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:57.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25162",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate privileges."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-643: XPath Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25162",
        "datePublished": "2022-04-14T20:05:57.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:29:59.860Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25160 (GCVE-0-2020-25160)

    Vulnerability from nvd – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:30
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    Improper access controls in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enables attackers to extract and tamper with the devices network configuration.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:09.469Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25160",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:31.099580Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:30:17.021Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access controls in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enables attackers to extract and tamper with the devices network configuration."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:55.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25160",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Improper access controls in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enables attackers to extract and tamper with the devices network configuration."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-284: Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25160",
        "datePublished": "2022-04-14T20:05:55.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:30:17.021Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25158 (GCVE-0-2020-25158)

    Vulnerability from nvd – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:30
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A reflected cross-site scripting (XSS) vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to inject arbitrary web script or HTML into various locations.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.212Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25158",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:28.036554Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:30:09.180Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A reflected cross-site scripting (XSS) vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to inject arbitrary web script or HTML into various locations."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Cross-site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:56.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25158",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A reflected cross-site scripting (XSS) vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to inject arbitrary web script or HTML into various locations."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79: Cross-site Scripting"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25158",
        "datePublished": "2022-04-14T20:05:56.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:30:09.180Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25156 (GCVE-0-2020-25156)

    Vulnerability from nvd – Published: 2022-04-14 20:05 – Updated: 2025-04-16 17:55
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    Active debug code in the B. Braun Melsungen AG SpaceCom Version L8/U61, and the Data module compactplus Versions A10 and A11 and earlier enables attackers in possession of cryptographic material to access the device as root.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:09.778Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25156",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T17:29:43.063614Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T17:55:34.722Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Active debug code in the B. Braun Melsungen AG SpaceCom Version L8/U61, and the Data module compactplus Versions A10 and A11 and earlier enables attackers in possession of cryptographic material to access the device as root."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-489",
                  "description": "CWE-489: Active Debug Code",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:53.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25156",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Active debug code in the B. Braun Melsungen AG SpaceCom Version L8/U61, and the Data module compactplus Versions A10 and A11 and earlier enables attackers in possession of cryptographic material to access the device as root."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-489: Active Debug Code"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25156",
        "datePublished": "2022-04-14T20:05:53.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T17:55:34.722Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25154 (GCVE-0-2020-25154)

    Vulnerability from nvd – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:29
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    An open redirect vulnerability in the administrative interface of the B. Braun Melsungen AG SpaceCom device Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to redirect users to malicious websites.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.179Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25154",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:23.787363Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:29:52.798Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An open redirect vulnerability in the administrative interface of the B. Braun Melsungen AG SpaceCom device Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to redirect users to malicious websites."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: Open Redirect",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:58.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25154",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An open redirect vulnerability in the administrative interface of the B. Braun Melsungen AG SpaceCom device Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to redirect users to malicious websites."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-601: Open Redirect"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25154",
        "datePublished": "2022-04-14T20:05:58.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:29:52.798Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25152 (GCVE-0-2020-25152)

    Vulnerability from nvd – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:30
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A session fixation vulnerability in the B. Braun Melsungen AG SpaceCom administrative interface Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to hijack web sessions and escalate privileges.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:09.803Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25152",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:34.665213Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:30:24.443Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A session fixation vulnerability in the B. Braun Melsungen AG SpaceCom administrative interface Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to hijack web sessions and escalate privileges."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-384",
                  "description": "CWE-384: Session Fixation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:55.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25152",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A session fixation vulnerability in the B. Braun Melsungen AG SpaceCom administrative interface Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to hijack web sessions and escalate privileges."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-384: Session Fixation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25152",
        "datePublished": "2022-04-14T20:05:55.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:30:24.443Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25150 (GCVE-0-2020-25150)

    Vulnerability from nvd – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:30
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A relative path traversal attack in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with service user privileges to upload arbitrary files. By uploading a specially crafted tar file an attacker can execute arbitrary commands.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:09.495Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25150",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:38.970393Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:30:32.103Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A relative path traversal attack in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with service user privileges to upload arbitrary files. By uploading a specially crafted tar file an attacker can execute arbitrary commands."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23: Relative Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:52.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25150",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A relative path traversal attack in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with service user privileges to upload arbitrary files. By uploading a specially crafted tar file an attacker can execute arbitrary commands."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-23: Relative Path Traversal"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25150",
        "datePublished": "2022-04-14T20:05:52.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:30:32.103Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-16238 (GCVE-0-2020-16238)

    Vulnerability from nvd – Published: 2022-04-14 20:05 – Updated: 2025-04-16 17:55
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A vulnerability in the configuration import mechanism of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with command line access to the underlying Linux system to escalate privileges to the root user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T13:37:53.954Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-16238",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T17:29:45.935171Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T17:55:42.177Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the configuration import mechanism of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with command line access to the underlying Linux system to escalate privileges to the root user."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:53.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-16238",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A vulnerability in the configuration import mechanism of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with command line access to the underlying Linux system to escalate privileges to the root user."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-269: Improper Privilege Management"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-16238",
        "datePublished": "2022-04-14T20:05:53.000Z",
        "dateReserved": "2020-07-31T00:00:00.000Z",
        "dateUpdated": "2025-04-16T17:55:42.177Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25168 (GCVE-0-2020-25168)

    Vulnerability from cvelistv5 – Published: 2022-04-14 20:06 – Updated: 2025-04-16 16:29
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    Hard-coded credentials in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enable attackers with command line access to access the device’s Wi-Fi module.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.000Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25168",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:09.627996Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:29:29.444Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hard-coded credentials in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enable attackers with command line access to access the device\u2019s Wi-Fi module."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798: Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:06:00.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25168",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Hard-coded credentials in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enable attackers with command line access to access the device\u2019s Wi-Fi module."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-798: Use of Hard-coded Credentials"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25168",
        "datePublished": "2022-04-14T20:06:00.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:29:29.444Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25164 (GCVE-0-2020-25164)

    Vulnerability from cvelistv5 – Published: 2022-04-14 20:06 – Updated: 2025-04-16 16:29
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to recover user credentials of the administrative interface.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-759 - Use of a One-Way Hash without a Salt
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:09.576Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25164",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:15.208760Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:29:36.723Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to recover user credentials of the administrative interface."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-759",
                  "description": "CWE-759: Use of a One-Way Hash without a Salt",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:06:00.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25164",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to recover user credentials of the administrative interface."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-759: Use of a One-Way Hash without a Salt"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25164",
        "datePublished": "2022-04-14T20:06:00.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:29:36.723Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25166 (GCVE-0-2020-25166)

    Vulnerability from cvelistv5 – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:29
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    An improper verification of the cryptographic signature of firmware updates of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to generate valid firmware updates with arbitrary content that can be used to tamper with devices.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.204Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25166",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:19.378844Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:29:44.744Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An improper verification of the cryptographic signature of firmware updates of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to generate valid firmware updates with arbitrary content that can be used to tamper with devices."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:59.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25166",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An improper verification of the cryptographic signature of firmware updates of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to generate valid firmware updates with arbitrary content that can be used to tamper with devices."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-347: Improper Verification of Cryptographic Signature"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25166",
        "datePublished": "2022-04-14T20:05:59.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:29:44.744Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25154 (GCVE-0-2020-25154)

    Vulnerability from cvelistv5 – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:29
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    An open redirect vulnerability in the administrative interface of the B. Braun Melsungen AG SpaceCom device Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to redirect users to malicious websites.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.179Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25154",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:23.787363Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:29:52.798Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An open redirect vulnerability in the administrative interface of the B. Braun Melsungen AG SpaceCom device Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to redirect users to malicious websites."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: Open Redirect",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:58.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25154",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An open redirect vulnerability in the administrative interface of the B. Braun Melsungen AG SpaceCom device Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to redirect users to malicious websites."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-601: Open Redirect"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25154",
        "datePublished": "2022-04-14T20:05:58.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:29:52.798Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25162 (GCVE-0-2020-25162)

    Vulnerability from cvelistv5 – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:29
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate privileges.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.163Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25162",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:57:38.755895Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:29:59.860Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate privileges."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-643",
                  "description": "CWE-643: XPath Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:57.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25162",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate privileges."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-643: XPath Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25162",
        "datePublished": "2022-04-14T20:05:57.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:29:59.860Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25158 (GCVE-0-2020-25158)

    Vulnerability from cvelistv5 – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:30
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A reflected cross-site scripting (XSS) vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to inject arbitrary web script or HTML into various locations.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.212Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25158",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:28.036554Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:30:09.180Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A reflected cross-site scripting (XSS) vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to inject arbitrary web script or HTML into various locations."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Cross-site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:56.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25158",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A reflected cross-site scripting (XSS) vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to inject arbitrary web script or HTML into various locations."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79: Cross-site Scripting"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25158",
        "datePublished": "2022-04-14T20:05:56.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:30:09.180Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25160 (GCVE-0-2020-25160)

    Vulnerability from cvelistv5 – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:30
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    Improper access controls in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enables attackers to extract and tamper with the devices network configuration.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:09.469Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25160",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:31.099580Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:30:17.021Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access controls in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enables attackers to extract and tamper with the devices network configuration."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:55.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25160",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Improper access controls in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enables attackers to extract and tamper with the devices network configuration."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-284: Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25160",
        "datePublished": "2022-04-14T20:05:55.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:30:17.021Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25152 (GCVE-0-2020-25152)

    Vulnerability from cvelistv5 – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:30
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A session fixation vulnerability in the B. Braun Melsungen AG SpaceCom administrative interface Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to hijack web sessions and escalate privileges.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:09.803Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25152",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:34.665213Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:30:24.443Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A session fixation vulnerability in the B. Braun Melsungen AG SpaceCom administrative interface Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to hijack web sessions and escalate privileges."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-384",
                  "description": "CWE-384: Session Fixation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:55.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25152",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A session fixation vulnerability in the B. Braun Melsungen AG SpaceCom administrative interface Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to hijack web sessions and escalate privileges."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-384: Session Fixation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25152",
        "datePublished": "2022-04-14T20:05:55.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:30:24.443Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25156 (GCVE-0-2020-25156)

    Vulnerability from cvelistv5 – Published: 2022-04-14 20:05 – Updated: 2025-04-16 17:55
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    Active debug code in the B. Braun Melsungen AG SpaceCom Version L8/U61, and the Data module compactplus Versions A10 and A11 and earlier enables attackers in possession of cryptographic material to access the device as root.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:09.778Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25156",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T17:29:43.063614Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T17:55:34.722Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Active debug code in the B. Braun Melsungen AG SpaceCom Version L8/U61, and the Data module compactplus Versions A10 and A11 and earlier enables attackers in possession of cryptographic material to access the device as root."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-489",
                  "description": "CWE-489: Active Debug Code",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:53.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25156",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Active debug code in the B. Braun Melsungen AG SpaceCom Version L8/U61, and the Data module compactplus Versions A10 and A11 and earlier enables attackers in possession of cryptographic material to access the device as root."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-489: Active Debug Code"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25156",
        "datePublished": "2022-04-14T20:05:53.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T17:55:34.722Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-16238 (GCVE-0-2020-16238)

    Vulnerability from cvelistv5 – Published: 2022-04-14 20:05 – Updated: 2025-04-16 17:55
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A vulnerability in the configuration import mechanism of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with command line access to the underlying Linux system to escalate privileges to the root user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T13:37:53.954Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-16238",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T17:29:45.935171Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T17:55:42.177Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the configuration import mechanism of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with command line access to the underlying Linux system to escalate privileges to the root user."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:53.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-16238",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A vulnerability in the configuration import mechanism of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with command line access to the underlying Linux system to escalate privileges to the root user."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-269: Improper Privilege Management"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-16238",
        "datePublished": "2022-04-14T20:05:53.000Z",
        "dateReserved": "2020-07-31T00:00:00.000Z",
        "dateUpdated": "2025-04-16T17:55:42.177Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25150 (GCVE-0-2020-25150)

    Vulnerability from cvelistv5 – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:30
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A relative path traversal attack in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with service user privileges to upload arbitrary files. By uploading a specially crafted tar file an attacker can execute arbitrary commands.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:09.495Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25150",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:38.970393Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:30:32.103Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A relative path traversal attack in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with service user privileges to upload arbitrary files. By uploading a specially crafted tar file an attacker can execute arbitrary commands."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23: Relative Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:52.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25150",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A relative path traversal attack in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with service user privileges to upload arbitrary files. By uploading a specially crafted tar file an attacker can execute arbitrary commands."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-23: Relative Path Traversal"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25150",
        "datePublished": "2022-04-14T20:05:52.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:30:32.103Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }