Search

Find a vulnerability

Search criteria

    34 vulnerabilities by B. Braun Melsungen AG

    CVE-2025-3365 (GCVE-0-2025-3365)

    Vulnerability from nvd – Published: 2025-06-06 08:14 – Updated: 2025-06-06 17:12
    VLAI
    Title
    Relative Path Traversal in OnlineSuite
    Summary
    A missing protection against path traversal allows to access any file on the server.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    Assigner
    References
    Impacted products
    Date Public
    2025-06-06 07:00
    Credits
    Fabian Weber (CODE WHITE GmbH) Dr. Florian Hauser (CODE WHITE GmbH)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3365",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T17:03:10.577417Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T17:12:51.401Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "OnlineSuite",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Fabian Weber (CODE WHITE GmbH)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dr. Florian Hauser (CODE WHITE GmbH)"
            }
          ],
          "datePublic": "2025-06-06T07:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA missing protection against path traversal allows to access\nany file on the server.\u003c/p\u003e"
                }
              ],
              "value": "A missing protection against path traversal allows to access\nany file on the server."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23 Relative Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T08:14:00.444Z",
            "orgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
            "shortName": "B.Braun"
          },
          "references": [
            {
              "url": "https://www.bbraun.com/productsecurity"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues.\n\n\u003cbr\u003e"
                }
              ],
              "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Relative Path Traversal in OnlineSuite",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
        "assignerShortName": "B.Braun",
        "cveId": "CVE-2025-3365",
        "datePublished": "2025-06-06T08:14:00.444Z",
        "dateReserved": "2025-04-07T06:11:11.032Z",
        "dateUpdated": "2025-06-06T17:12:51.401Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-3322 (GCVE-0-2025-3322)

    Vulnerability from nvd – Published: 2025-06-06 08:13 – Updated: 2025-06-06 17:29
    VLAI
    Title
    Improper Neutralization of Special Elements in OnlineSuite
    Summary
    An improper neutralization of inputs used in expression language allows remote code execution with the highest privileges on the server.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
    Assigner
    References
    Impacted products
    Date Public
    2025-06-06 07:00
    Credits
    Fabian Weber (CODE WHITE GmbH) Dr. Florian Hauser (CODE WHITE GmbH)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3322",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T17:19:28.552605Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T17:29:30.972Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "OnlineSuite",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Fabian Weber (CODE WHITE GmbH)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dr. Florian Hauser (CODE WHITE GmbH)"
            }
          ],
          "datePublic": "2025-06-06T07:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn improper neutralization of inputs used in expression\nlanguage allows remote code execution with the highest privileges on the\nserver.\u003c/p\u003e"
                }
              ],
              "value": "An improper neutralization of inputs used in expression\nlanguage allows remote code execution with the highest privileges on the\nserver."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-917",
                  "description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T08:13:12.028Z",
            "orgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
            "shortName": "B.Braun"
          },
          "references": [
            {
              "url": "https://www.bbraun.com/productsecurity"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues.\n\n\u003cbr\u003e"
                }
              ],
              "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper Neutralization of Special Elements in OnlineSuite",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
        "assignerShortName": "B.Braun",
        "cveId": "CVE-2025-3322",
        "datePublished": "2025-06-06T08:13:12.028Z",
        "dateReserved": "2025-04-05T19:02:30.304Z",
        "dateUpdated": "2025-06-06T17:29:30.972Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-3321 (GCVE-0-2025-3321)

    Vulnerability from nvd – Published: 2025-06-06 08:12 – Updated: 2025-06-06 18:25
    VLAI
    Title
    Use of Hard-coded Credentials in OnlineSuite
    Summary
    A predefined administrative account is not documented and cannot be deactivated. This account cannot be misused from the network, only by local users on the server.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    References
    Impacted products
    Date Public
    2025-06-06 07:00
    Credits
    Fabian Weber (CODE WHITE GmbH) Dr. Florian Hauser (CODE WHITE GmbH)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3321",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T17:42:18.841236Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T18:25:54.094Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "OnlineSuite",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Fabian Weber (CODE WHITE GmbH)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dr. Florian Hauser (CODE WHITE GmbH)"
            }
          ],
          "datePublic": "2025-06-06T07:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eA predefined administrative account is not documented and cannot\nbe deactivated. This account cannot be misused from the network, only by local\nusers on the server.\u003c/p\u003e\n\n\n\n\n\n\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "A predefined administrative account is not documented and cannot\nbe deactivated. This account cannot be misused from the network, only by local\nusers on the server."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T08:12:46.971Z",
            "orgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
            "shortName": "B.Braun"
          },
          "references": [
            {
              "url": "https://www.bbraun.com/productsecurity"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
                }
              ],
              "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Use of Hard-coded Credentials in OnlineSuite",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
        "assignerShortName": "B.Braun",
        "cveId": "CVE-2025-3321",
        "datePublished": "2025-06-06T08:12:46.971Z",
        "dateReserved": "2025-04-05T19:01:47.895Z",
        "dateUpdated": "2025-06-06T18:25:54.094Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25168 (GCVE-0-2020-25168)

    Vulnerability from nvd – Published: 2022-04-14 20:06 – Updated: 2025-04-16 16:29
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    Hard-coded credentials in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enable attackers with command line access to access the device’s Wi-Fi module.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.000Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25168",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:09.627996Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:29:29.444Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hard-coded credentials in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enable attackers with command line access to access the device\u2019s Wi-Fi module."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798: Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:06:00.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25168",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Hard-coded credentials in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enable attackers with command line access to access the device\u2019s Wi-Fi module."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-798: Use of Hard-coded Credentials"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25168",
        "datePublished": "2022-04-14T20:06:00.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:29:29.444Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25166 (GCVE-0-2020-25166)

    Vulnerability from nvd – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:29
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    An improper verification of the cryptographic signature of firmware updates of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to generate valid firmware updates with arbitrary content that can be used to tamper with devices.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.204Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25166",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:19.378844Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:29:44.744Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An improper verification of the cryptographic signature of firmware updates of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to generate valid firmware updates with arbitrary content that can be used to tamper with devices."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:59.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25166",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An improper verification of the cryptographic signature of firmware updates of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to generate valid firmware updates with arbitrary content that can be used to tamper with devices."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-347: Improper Verification of Cryptographic Signature"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25166",
        "datePublished": "2022-04-14T20:05:59.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:29:44.744Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25164 (GCVE-0-2020-25164)

    Vulnerability from nvd – Published: 2022-04-14 20:06 – Updated: 2025-04-16 16:29
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to recover user credentials of the administrative interface.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-759 - Use of a One-Way Hash without a Salt
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:09.576Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25164",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:15.208760Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:29:36.723Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to recover user credentials of the administrative interface."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-759",
                  "description": "CWE-759: Use of a One-Way Hash without a Salt",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:06:00.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25164",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to recover user credentials of the administrative interface."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-759: Use of a One-Way Hash without a Salt"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25164",
        "datePublished": "2022-04-14T20:06:00.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:29:36.723Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25162 (GCVE-0-2020-25162)

    Vulnerability from nvd – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:29
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate privileges.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.163Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25162",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:57:38.755895Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:29:59.860Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate privileges."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-643",
                  "description": "CWE-643: XPath Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:57.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25162",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate privileges."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-643: XPath Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25162",
        "datePublished": "2022-04-14T20:05:57.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:29:59.860Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25160 (GCVE-0-2020-25160)

    Vulnerability from nvd – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:30
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    Improper access controls in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enables attackers to extract and tamper with the devices network configuration.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:09.469Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25160",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:31.099580Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:30:17.021Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access controls in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enables attackers to extract and tamper with the devices network configuration."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:55.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25160",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Improper access controls in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enables attackers to extract and tamper with the devices network configuration."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-284: Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25160",
        "datePublished": "2022-04-14T20:05:55.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:30:17.021Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25158 (GCVE-0-2020-25158)

    Vulnerability from nvd – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:30
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A reflected cross-site scripting (XSS) vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to inject arbitrary web script or HTML into various locations.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.212Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25158",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:28.036554Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:30:09.180Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A reflected cross-site scripting (XSS) vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to inject arbitrary web script or HTML into various locations."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Cross-site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:56.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25158",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A reflected cross-site scripting (XSS) vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to inject arbitrary web script or HTML into various locations."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79: Cross-site Scripting"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25158",
        "datePublished": "2022-04-14T20:05:56.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:30:09.180Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25156 (GCVE-0-2020-25156)

    Vulnerability from nvd – Published: 2022-04-14 20:05 – Updated: 2025-04-16 17:55
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    Active debug code in the B. Braun Melsungen AG SpaceCom Version L8/U61, and the Data module compactplus Versions A10 and A11 and earlier enables attackers in possession of cryptographic material to access the device as root.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:09.778Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25156",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T17:29:43.063614Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T17:55:34.722Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Active debug code in the B. Braun Melsungen AG SpaceCom Version L8/U61, and the Data module compactplus Versions A10 and A11 and earlier enables attackers in possession of cryptographic material to access the device as root."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-489",
                  "description": "CWE-489: Active Debug Code",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:53.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25156",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Active debug code in the B. Braun Melsungen AG SpaceCom Version L8/U61, and the Data module compactplus Versions A10 and A11 and earlier enables attackers in possession of cryptographic material to access the device as root."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-489: Active Debug Code"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25156",
        "datePublished": "2022-04-14T20:05:53.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T17:55:34.722Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25154 (GCVE-0-2020-25154)

    Vulnerability from nvd – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:29
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    An open redirect vulnerability in the administrative interface of the B. Braun Melsungen AG SpaceCom device Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to redirect users to malicious websites.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.179Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25154",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:23.787363Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:29:52.798Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An open redirect vulnerability in the administrative interface of the B. Braun Melsungen AG SpaceCom device Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to redirect users to malicious websites."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: Open Redirect",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:58.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25154",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An open redirect vulnerability in the administrative interface of the B. Braun Melsungen AG SpaceCom device Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to redirect users to malicious websites."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-601: Open Redirect"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25154",
        "datePublished": "2022-04-14T20:05:58.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:29:52.798Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25152 (GCVE-0-2020-25152)

    Vulnerability from nvd – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:30
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A session fixation vulnerability in the B. Braun Melsungen AG SpaceCom administrative interface Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to hijack web sessions and escalate privileges.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:09.803Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25152",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:34.665213Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:30:24.443Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A session fixation vulnerability in the B. Braun Melsungen AG SpaceCom administrative interface Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to hijack web sessions and escalate privileges."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-384",
                  "description": "CWE-384: Session Fixation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:55.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25152",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A session fixation vulnerability in the B. Braun Melsungen AG SpaceCom administrative interface Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to hijack web sessions and escalate privileges."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-384: Session Fixation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25152",
        "datePublished": "2022-04-14T20:05:55.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:30:24.443Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25150 (GCVE-0-2020-25150)

    Vulnerability from nvd – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:30
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A relative path traversal attack in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with service user privileges to upload arbitrary files. By uploading a specially crafted tar file an attacker can execute arbitrary commands.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:09.495Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25150",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:38.970393Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:30:32.103Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A relative path traversal attack in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with service user privileges to upload arbitrary files. By uploading a specially crafted tar file an attacker can execute arbitrary commands."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23: Relative Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:52.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25150",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A relative path traversal attack in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with service user privileges to upload arbitrary files. By uploading a specially crafted tar file an attacker can execute arbitrary commands."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-23: Relative Path Traversal"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25150",
        "datePublished": "2022-04-14T20:05:52.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:30:32.103Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-16238 (GCVE-0-2020-16238)

    Vulnerability from nvd – Published: 2022-04-14 20:05 – Updated: 2025-04-16 17:55
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A vulnerability in the configuration import mechanism of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with command line access to the underlying Linux system to escalate privileges to the root user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T13:37:53.954Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-16238",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T17:29:45.935171Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T17:55:42.177Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the configuration import mechanism of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with command line access to the underlying Linux system to escalate privileges to the root user."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:53.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-16238",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A vulnerability in the configuration import mechanism of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with command line access to the underlying Linux system to escalate privileges to the root user."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-269: Improper Privilege Management"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-16238",
        "datePublished": "2022-04-14T20:05:53.000Z",
        "dateReserved": "2020-07-31T00:00:00.000Z",
        "dateUpdated": "2025-04-16T17:55:42.177Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25174 (GCVE-0-2020-25174)

    Vulnerability from nvd – Published: 2020-11-06 16:08 – Updated: 2024-09-17 00:16
    VLAI
    Title
    B. Braun OnlineSuite
    Summary
    A DLL hijacking vulnerability in the B. Braun OnlineSuite Version AP 3.0 and earlier allows local attackers to execute code on the system as a high privileged user.
    Severity
    No CVSS data available.
    CWE
    • CWE-427 - UNCONTROLLED SEARCH PATH ELEMENT CWE-427
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG OnlineSuite Affected: AP , ≤ 3.0 (custom)
    Create a notification for this product.
    Date Public
    2020-10-22 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.187Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "OnlineSuite",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "3.0",
                  "status": "affected",
                  "version": "AP",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-10-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A DLL hijacking vulnerability in the B. Braun OnlineSuite Version AP 3.0 and earlier allows local attackers to execute code on the system as a high privileged user."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-427",
                  "description": "UNCONTROLLED SEARCH PATH ELEMENT CWE-427",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-11-06T16:08:41.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
            }
          ],
          "source": {
            "advisory": "ICSMA-20-296-01",
            "discovery": "UNKNOWN"
          },
          "title": "B. Braun OnlineSuite",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "DATE_PUBLIC": "2020-10-22T15:00:00.000Z",
              "ID": "CVE-2020-25174",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun OnlineSuite"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "OnlineSuite",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "AP",
                                "version_value": "3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A DLL hijacking vulnerability in the B. Braun OnlineSuite Version AP 3.0 and earlier allows local attackers to execute code on the system as a high privileged user."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "UNCONTROLLED SEARCH PATH ELEMENT CWE-427"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01",
                  "refsource": "MISC",
                  "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
                }
              ]
            },
            "source": {
              "advisory": "ICSMA-20-296-01",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25174",
        "datePublished": "2020-11-06T16:08:41.727Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2024-09-17T00:16:15.836Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25172 (GCVE-0-2020-25172)

    Vulnerability from nvd – Published: 2020-11-06 16:09 – Updated: 2024-09-16 18:39
    VLAI
    Title
    B. Braun OnlineSuite
    Summary
    A relative path traversal attack in the B. Braun OnlineSuite Version AP 3.0 and earlier allows unauthenticated attackers to upload or download arbitrary files.
    Severity
    No CVSS data available.
    CWE
    • CWE-23 - RELATIVE PATH TRAVERSAL CWE-23
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG OnlineSuite Affected: AP , ≤ 3.0 (custom)
    Create a notification for this product.
    Date Public
    2020-10-22 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.164Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "OnlineSuite",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "3.0",
                  "status": "affected",
                  "version": "AP",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-10-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A relative path traversal attack in the B. Braun OnlineSuite Version AP 3.0 and earlier allows unauthenticated attackers to upload or download arbitrary files."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "RELATIVE PATH TRAVERSAL CWE-23",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-11-06T16:09:16.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
            }
          ],
          "source": {
            "advisory": "ICSMA-20-296-01",
            "discovery": "UNKNOWN"
          },
          "title": "B. Braun OnlineSuite",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "DATE_PUBLIC": "2020-10-22T15:00:00.000Z",
              "ID": "CVE-2020-25172",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun OnlineSuite"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "OnlineSuite",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "AP",
                                "version_value": "3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A relative path traversal attack in the B. Braun OnlineSuite Version AP 3.0 and earlier allows unauthenticated attackers to upload or download arbitrary files."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "RELATIVE PATH TRAVERSAL CWE-23"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01",
                  "refsource": "MISC",
                  "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-296-01"
                }
              ]
            },
            "source": {
              "advisory": "ICSMA-20-296-01",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25172",
        "datePublished": "2020-11-06T16:09:16.397Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2024-09-16T18:39:05.515Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-3365 (GCVE-0-2025-3365)

    Vulnerability from cvelistv5 – Published: 2025-06-06 08:14 – Updated: 2025-06-06 17:12
    VLAI
    Title
    Relative Path Traversal in OnlineSuite
    Summary
    A missing protection against path traversal allows to access any file on the server.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    Assigner
    References
    Impacted products
    Date Public
    2025-06-06 07:00
    Credits
    Fabian Weber (CODE WHITE GmbH) Dr. Florian Hauser (CODE WHITE GmbH)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3365",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T17:03:10.577417Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T17:12:51.401Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "OnlineSuite",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Fabian Weber (CODE WHITE GmbH)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dr. Florian Hauser (CODE WHITE GmbH)"
            }
          ],
          "datePublic": "2025-06-06T07:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA missing protection against path traversal allows to access\nany file on the server.\u003c/p\u003e"
                }
              ],
              "value": "A missing protection against path traversal allows to access\nany file on the server."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23 Relative Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T08:14:00.444Z",
            "orgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
            "shortName": "B.Braun"
          },
          "references": [
            {
              "url": "https://www.bbraun.com/productsecurity"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues.\n\n\u003cbr\u003e"
                }
              ],
              "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Relative Path Traversal in OnlineSuite",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
        "assignerShortName": "B.Braun",
        "cveId": "CVE-2025-3365",
        "datePublished": "2025-06-06T08:14:00.444Z",
        "dateReserved": "2025-04-07T06:11:11.032Z",
        "dateUpdated": "2025-06-06T17:12:51.401Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-3322 (GCVE-0-2025-3322)

    Vulnerability from cvelistv5 – Published: 2025-06-06 08:13 – Updated: 2025-06-06 17:29
    VLAI
    Title
    Improper Neutralization of Special Elements in OnlineSuite
    Summary
    An improper neutralization of inputs used in expression language allows remote code execution with the highest privileges on the server.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
    Assigner
    References
    Impacted products
    Date Public
    2025-06-06 07:00
    Credits
    Fabian Weber (CODE WHITE GmbH) Dr. Florian Hauser (CODE WHITE GmbH)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3322",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T17:19:28.552605Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T17:29:30.972Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "OnlineSuite",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Fabian Weber (CODE WHITE GmbH)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dr. Florian Hauser (CODE WHITE GmbH)"
            }
          ],
          "datePublic": "2025-06-06T07:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn improper neutralization of inputs used in expression\nlanguage allows remote code execution with the highest privileges on the\nserver.\u003c/p\u003e"
                }
              ],
              "value": "An improper neutralization of inputs used in expression\nlanguage allows remote code execution with the highest privileges on the\nserver."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-917",
                  "description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T08:13:12.028Z",
            "orgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
            "shortName": "B.Braun"
          },
          "references": [
            {
              "url": "https://www.bbraun.com/productsecurity"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues.\n\n\u003cbr\u003e"
                }
              ],
              "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper Neutralization of Special Elements in OnlineSuite",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
        "assignerShortName": "B.Braun",
        "cveId": "CVE-2025-3322",
        "datePublished": "2025-06-06T08:13:12.028Z",
        "dateReserved": "2025-04-05T19:02:30.304Z",
        "dateUpdated": "2025-06-06T17:29:30.972Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-3321 (GCVE-0-2025-3321)

    Vulnerability from cvelistv5 – Published: 2025-06-06 08:12 – Updated: 2025-06-06 18:25
    VLAI
    Title
    Use of Hard-coded Credentials in OnlineSuite
    Summary
    A predefined administrative account is not documented and cannot be deactivated. This account cannot be misused from the network, only by local users on the server.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    References
    Impacted products
    Date Public
    2025-06-06 07:00
    Credits
    Fabian Weber (CODE WHITE GmbH) Dr. Florian Hauser (CODE WHITE GmbH)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3321",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T17:42:18.841236Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T18:25:54.094Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "OnlineSuite",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Fabian Weber (CODE WHITE GmbH)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dr. Florian Hauser (CODE WHITE GmbH)"
            }
          ],
          "datePublic": "2025-06-06T07:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eA predefined administrative account is not documented and cannot\nbe deactivated. This account cannot be misused from the network, only by local\nusers on the server.\u003c/p\u003e\n\n\n\n\n\n\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "A predefined administrative account is not documented and cannot\nbe deactivated. This account cannot be misused from the network, only by local\nusers on the server."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T08:12:46.971Z",
            "orgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
            "shortName": "B.Braun"
          },
          "references": [
            {
              "url": "https://www.bbraun.com/productsecurity"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
                }
              ],
              "value": "Field Service Information FSI 14-25 \u201cOnlineSuite AP3.0 - Security Fix\u201d provides a patch to these issues."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Use of Hard-coded Credentials in OnlineSuite",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "653264ec-f98b-4e8f-b8b4-540a01b7657d",
        "assignerShortName": "B.Braun",
        "cveId": "CVE-2025-3321",
        "datePublished": "2025-06-06T08:12:46.971Z",
        "dateReserved": "2025-04-05T19:01:47.895Z",
        "dateUpdated": "2025-06-06T18:25:54.094Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25164 (GCVE-0-2020-25164)

    Vulnerability from cvelistv5 – Published: 2022-04-14 20:06 – Updated: 2025-04-16 16:29
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to recover user credentials of the administrative interface.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-759 - Use of a One-Way Hash without a Salt
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:09.576Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25164",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:15.208760Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:29:36.723Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to recover user credentials of the administrative interface."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-759",
                  "description": "CWE-759: Use of a One-Way Hash without a Salt",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:06:00.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25164",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to recover user credentials of the administrative interface."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-759: Use of a One-Way Hash without a Salt"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25164",
        "datePublished": "2022-04-14T20:06:00.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:29:36.723Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25168 (GCVE-0-2020-25168)

    Vulnerability from cvelistv5 – Published: 2022-04-14 20:06 – Updated: 2025-04-16 16:29
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    Hard-coded credentials in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enable attackers with command line access to access the device’s Wi-Fi module.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.000Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25168",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:09.627996Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:29:29.444Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hard-coded credentials in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enable attackers with command line access to access the device\u2019s Wi-Fi module."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798: Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:06:00.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25168",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Hard-coded credentials in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enable attackers with command line access to access the device\u2019s Wi-Fi module."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-798: Use of Hard-coded Credentials"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25168",
        "datePublished": "2022-04-14T20:06:00.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:29:29.444Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25166 (GCVE-0-2020-25166)

    Vulnerability from cvelistv5 – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:29
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    An improper verification of the cryptographic signature of firmware updates of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to generate valid firmware updates with arbitrary content that can be used to tamper with devices.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.204Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25166",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:19.378844Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:29:44.744Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An improper verification of the cryptographic signature of firmware updates of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to generate valid firmware updates with arbitrary content that can be used to tamper with devices."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:59.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25166",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An improper verification of the cryptographic signature of firmware updates of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to generate valid firmware updates with arbitrary content that can be used to tamper with devices."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-347: Improper Verification of Cryptographic Signature"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25166",
        "datePublished": "2022-04-14T20:05:59.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:29:44.744Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25154 (GCVE-0-2020-25154)

    Vulnerability from cvelistv5 – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:29
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    An open redirect vulnerability in the administrative interface of the B. Braun Melsungen AG SpaceCom device Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to redirect users to malicious websites.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.179Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25154",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:23.787363Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:29:52.798Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An open redirect vulnerability in the administrative interface of the B. Braun Melsungen AG SpaceCom device Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to redirect users to malicious websites."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: Open Redirect",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:58.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25154",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An open redirect vulnerability in the administrative interface of the B. Braun Melsungen AG SpaceCom device Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to redirect users to malicious websites."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-601: Open Redirect"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25154",
        "datePublished": "2022-04-14T20:05:58.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:29:52.798Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25162 (GCVE-0-2020-25162)

    Vulnerability from cvelistv5 – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:29
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate privileges.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.163Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25162",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:57:38.755895Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:29:59.860Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate privileges."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-643",
                  "description": "CWE-643: XPath Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:57.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25162",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A XPath injection vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows unauthenticated remote attackers to access sensitive information and escalate privileges."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-643: XPath Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25162",
        "datePublished": "2022-04-14T20:05:57.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:29:59.860Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25158 (GCVE-0-2020-25158)

    Vulnerability from cvelistv5 – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:30
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A reflected cross-site scripting (XSS) vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to inject arbitrary web script or HTML into various locations.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:10.212Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25158",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:28.036554Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:30:09.180Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A reflected cross-site scripting (XSS) vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to inject arbitrary web script or HTML into various locations."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Cross-site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:56.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25158",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A reflected cross-site scripting (XSS) vulnerability in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to inject arbitrary web script or HTML into various locations."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79: Cross-site Scripting"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25158",
        "datePublished": "2022-04-14T20:05:56.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:30:09.180Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25152 (GCVE-0-2020-25152)

    Vulnerability from cvelistv5 – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:30
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A session fixation vulnerability in the B. Braun Melsungen AG SpaceCom administrative interface Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to hijack web sessions and escalate privileges.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:09.803Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25152",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:34.665213Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:30:24.443Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A session fixation vulnerability in the B. Braun Melsungen AG SpaceCom administrative interface Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to hijack web sessions and escalate privileges."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-384",
                  "description": "CWE-384: Session Fixation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:55.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25152",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A session fixation vulnerability in the B. Braun Melsungen AG SpaceCom administrative interface Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to hijack web sessions and escalate privileges."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-384: Session Fixation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25152",
        "datePublished": "2022-04-14T20:05:55.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:30:24.443Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25160 (GCVE-0-2020-25160)

    Vulnerability from cvelistv5 – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:30
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    Improper access controls in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enables attackers to extract and tamper with the devices network configuration.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:09.469Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25160",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:31.099580Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:30:17.021Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access controls in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enables attackers to extract and tamper with the devices network configuration."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:55.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25160",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Improper access controls in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 enables attackers to extract and tamper with the devices network configuration."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-284: Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25160",
        "datePublished": "2022-04-14T20:05:55.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:30:17.021Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-16238 (GCVE-0-2020-16238)

    Vulnerability from cvelistv5 – Published: 2022-04-14 20:05 – Updated: 2025-04-16 17:55
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A vulnerability in the configuration import mechanism of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with command line access to the underlying Linux system to escalate privileges to the root user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T13:37:53.954Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-16238",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T17:29:45.935171Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T17:55:42.177Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in the configuration import mechanism of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with command line access to the underlying Linux system to escalate privileges to the root user."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:53.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-16238",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A vulnerability in the configuration import mechanism of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with command line access to the underlying Linux system to escalate privileges to the root user."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-269: Improper Privilege Management"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-16238",
        "datePublished": "2022-04-14T20:05:53.000Z",
        "dateReserved": "2020-07-31T00:00:00.000Z",
        "dateUpdated": "2025-04-16T17:55:42.177Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25156 (GCVE-0-2020-25156)

    Vulnerability from cvelistv5 – Published: 2022-04-14 20:05 – Updated: 2025-04-16 17:55
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    Active debug code in the B. Braun Melsungen AG SpaceCom Version L8/U61, and the Data module compactplus Versions A10 and A11 and earlier enables attackers in possession of cryptographic material to access the device as root.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:09.778Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25156",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T17:29:43.063614Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T17:55:34.722Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Active debug code in the B. Braun Melsungen AG SpaceCom Version L8/U61, and the Data module compactplus Versions A10 and A11 and earlier enables attackers in possession of cryptographic material to access the device as root."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-489",
                  "description": "CWE-489: Active Debug Code",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:53.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25156",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Active debug code in the B. Braun Melsungen AG SpaceCom Version L8/U61, and the Data module compactplus Versions A10 and A11 and earlier enables attackers in possession of cryptographic material to access the device as root."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-489: Active Debug Code"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25156",
        "datePublished": "2022-04-14T20:05:53.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T17:55:34.722Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-25150 (GCVE-0-2020-25150)

    Vulnerability from cvelistv5 – Published: 2022-04-14 20:05 – Updated: 2025-04-16 16:30
    VLAI
    Title
    B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus
    Summary
    A relative path traversal attack in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with service user privileges to upload arbitrary files. By uploading a specially crafted tar file an attacker can execute arbitrary commands.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    Assigner
    References
    Impacted products
    Vendor Product Version
    B. Braun Melsungen AG SpaceCom Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Battery pack with Wi-Fi Affected: unspecified , ≤ U61 (custom)
    Affected: unspecified , ≤ L81 (custom)
    Create a notification for this product.
    B. Braun Melsungen AG Data module compactplus Affected: A10
    Affected: A11
    Create a notification for this product.
    Credits
    Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices).
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:26:09.495Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-25150",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:54:38.970393Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:30:32.103Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SpaceCom",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Battery pack with Wi-Fi",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "lessThanOrEqual": "U61",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "L81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Data module compactplus",
              "vendor": "B. Braun Melsungen AG",
              "versions": [
                {
                  "status": "affected",
                  "version": "A10"
                },
                {
                  "status": "affected",
                  "version": "A11"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A relative path traversal attack in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with service user privileges to upload arbitrary files. By uploading a specially crafted tar file an attacker can execute arbitrary commands."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23: Relative Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-14T20:05:52.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus",
          "workarounds": [
            {
              "lang": "en",
              "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2020-25150",
              "STATE": "PUBLIC",
              "TITLE": "B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SpaceCom",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Battery pack with Wi-Fi",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "U61"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "L81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Data module compactplus",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "A10"
                              },
                              {
                                "version_affected": "=",
                                "version_value": "A11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "B. Braun Melsungen AG"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH, reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices)."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A relative path traversal attack in the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers with service user privileges to upload arbitrary files. By uploading a specially crafted tar file an attacker can execute arbitrary commands."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-23: Relative Path Traversal"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02"
                },
                {
                  "name": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html",
                  "refsource": "CONFIRM",
                  "url": "https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "B. Braun recommends applying updates:\n\n    SpaceCom: Version U62 or later (United States), L82 or later (outside the United States)\n    Battery Pack SP with Wi-Fi: Version U62 or later (United States), L82 or later (outside the United States)\n    Data module compactplus: Version A12 or later\n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html\n"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:\n\n    Ensure the devices are not accessible directly from the Internet.\n    Use a firewall and isolate the medical devices from the business network. \n\nPlease contact your local B. Braun organization to request further help. For more information please see the B. Braun Security Advisory.  https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html"
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2020-25150",
        "datePublished": "2022-04-14T20:05:52.000Z",
        "dateReserved": "2020-09-04T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:30:32.103Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }