cbcvebase.
CVE-2021-37161
published 2021-08-02

CVE-2021-37161: A buffer overflow issue was discovered in the HMI3 Control Panel contained within the Swisslog Healthcare Nexus Panel, operated by released versions of…

PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.26%
86.8th percentile
A buffer overflow issue was discovered in the HMI3 Control Panel contained within the Swisslog Healthcare Nexus Panel, operated by released versions of software before Nexus Software 7.2.5.7. A buffer overflow allows an attacker to overwrite an internal queue data structure and can lead to remote code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
swisslog-healthcarehmi-3_control_panel_firmware< 7.2.5.77.2.5.7

Detection & IOCsextracted from sources · hover to see the quote

port12345/udp
urlwww.armis.com/pwnedPiper
bytes
TLPU (hex: 54 4C 50 55) at packet start
bytes
00 00 00 01 at offset 8 (distance:4 from TLPU)
snort
alert udp any any -> $HOME_NET 12345 (msg:"ET EXPLOIT [PwnedPiper] Exploitation Attempt - Small Malformed Translogic Packet (Multiple CVEs)"; dsize:<21; content:"TLPU"; startswith; fast_pattern; content:"|00 00 00 01|"; distance:4; within:4; reference:url,www.armis.com/pwnedPiper; reference:cve,2021-37162; reference:cve,2021-37165; reference:cve,2021-37161; classtype:attempted-admin; sid:2033661; rev:1; metadata:attack_target Server, created_at 2021_08_03, cve CVE_2021_37162, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Exploit traffic targets UDP port 12345 on internal hosts (Translogic/Nexus Panel HMI3 service). Alert on UDP datagrams smaller than 21 bytes starting with magic bytes 'TLPU' followed by '00 00 00 01' at offset 8.
  • The vulnerability resides in the HMI3 Control Panel within the Swisslog Healthcare Nexus Panel. Monitor for unexpected UDP traffic to port 12345 on healthcare network segments hosting Nexus Panel devices.
  • Successful exploitation can lead to remote code execution via overwriting an internal queue data structure. Treat any process anomalies on Nexus Panel hosts following UDP/12345 traffic as high-severity incidents.
  • ·The Snort/Suricata rule (sid:2033661) covers multiple CVEs (CVE-2021-37161, CVE-2021-37162, CVE-2021-37165) with a single signature. A true positive for this rule does not exclusively confirm CVE-2021-37161; triage is required to distinguish which specific vulnerability is being exploited.
  • ·The rule is applicable to both Perimeter and Internal deployment contexts, indicating the attack surface includes both internet-exposed and internally networked Nexus Panel devices.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.