cbcvebase.
CVE-2015-3956
published 2019-03-25

CVE-2015-3956: Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior…

PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
0.95%
56.9th percentile
Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior accept drug libraries, firmware updates, pump commands, and unauthorized configuration changes from unauthenticated devices on the host network. Hospira recommends that customers close Port 20/FTP and Port 23/TELNET on the affected devices. Hospira has also released the Plum 360 Infusion System which is not vulnerable to this issue.

Affected

6 ranges
VendorProductVersion rangeFixed in
hospiraplum_a+3_infusion_system<= 13.6
hospiraplum_a+_infusion_system<= 13.4
hospirasymbiq_infusion_system<= 3.13
pifzerplum_a_+3_infusion_system_firmware<= 13.6
pifzerplum_a_+_infusion_system_firmware<= 13.4
pifzersymbiq_infusion_system_firmware<= 3.13

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.