CVE-2015-3954
published 2019-03-25CVE-2015-3954: Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior…
PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
2.04%
78.7th percentile
Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior give unauthenticated users root privileges on Port 23/TELNET by default. An unauthorized user could issue commands to the pump. Hospira recommends that customers close Port 23/TELNET on the affected devices. Hospira has also released the Plum 360 Infusion System which is not vulnerable to this issue.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hospira | plum_a+3_infusion_system | <= 13.6 | — |
| hospira | plum_a+_infusion_system | <= 13.4 | — |
| hospira | symbiq_infusion_system | <= 3.13 | — |
| pifzer | plum_a_+3_infusion_system_firmware | <= 13.6 | — |
| pifzer | plum_a_+_infusion_system_firmware | <= 13.4 | — |
| pifzer | symbiq_infusion_system_firmware | <= 3.13 | — |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x5v7-rmgq-cm8v: Hospira Plum A+ Infusion System version 13
ghsa_unreviewed·2022-05-13
CVE-2015-3954 [CRITICAL] CWE-285 GHSA-x5v7-rmgq-cm8v: Hospira Plum A+ Infusion System version 13
Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior give unauthenticated users root privileges on Port 23/TELNET by default. An unauthorized user could issue commands to the pump. Hospira recommends that customers close Port 23/TELNET on the affected devices. Hospira has also released the Plum 360 Infusion System which is not vulnerable to this issue.
CISA ICS
Hospira Plum A+ and Symbiq Infusion Systems Vulnerabilities
cisa_ics·2018-08-23
Hospira Plum A+ and Symbiq Infusion Systems Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Hospira Plum A+ and Symbiq Infusion Systems Vulnerabilities
Last RevisedAugust 23, 2018
Alert CodeICSA-15-161-01
## OVERVIEW
Independent researcher Billy Rios has identified vulnerabilities in Hospira’s Plum A+ Infusion System that are similar to vulnerabilities identified in Hospira’s LifeCare PCA Infusion System discussed in advisory, ICSA-15-125-01B Hospira LifeCare PCA Infusion System Vulnerabilities. Hospira identified vulnerabilities in the Symbiq Infusion System. Kyle Kamke of Ramparts, LLC has identified an uncontrolled resource consumption vulnerability in Hospira’s Sym
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2019-03-25
Published