CVE-2020-25162
📋 TL;DR
This XPath injection vulnerability in B. Braun medical devices allows unauthenticated remote attackers to access sensitive information and potentially escalate privileges. It affects SpaceCom Version L81/U61 and earlier, and Data module compactplus Versions A10 and A11. Healthcare organizations using these devices are at risk.
💻 Affected Systems
- B. Braun SpaceCom
- B. Braun Data module compactplus
📦 What is this software?
Spacecom by Bbraun
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control over medical devices, potentially manipulating treatment parameters or patient data, leading to patient harm or system compromise.
Likely Case
Unauthenticated attackers extract sensitive configuration data, patient information, or credentials, enabling further network penetration or data theft.
If Mitigated
With proper network segmentation and access controls, attackers cannot reach vulnerable interfaces, limiting impact to isolated systems.
🎯 Exploit Status
XPath injection typically requires minimal technical skill; unauthenticated access makes exploitation easier.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: SpaceCom: Version L82 or later; Data module compactplus: Version A12 or later
Vendor Advisory: https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html
Restart Required: Yes
Instructions:
1. Contact B. Braun technical support for patching guidance. 2. Schedule maintenance window for medical device updates. 3. Apply vendor-provided patches following clinical safety protocols. 4. Verify device functionality post-update.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected devices on separate VLANs with strict firewall rules to prevent unauthorized access.
Access Control Lists
allImplement IP-based restrictions to allow only authorized management systems to communicate with vulnerable interfaces.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate devices from untrusted networks
- Deploy intrusion detection systems to monitor for XPath injection attempts
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via device management interface or physical device labels.Check Version:
Device-specific; typically through web interface or serial console commands documented in vendor manuals.Verify Fix Applied:
Confirm firmware version is L82 or later for SpaceCom, or A12 or later for Data module compactplus.📡 Detection & Monitoring
Log Indicators:
- Unusual XPath queries in device logs
- Multiple failed authentication attempts followed by successful access
Network Indicators:
- Unexpected HTTP/S requests to device management interfaces
- Patterns of special characters in URLs (e.g., ' or = in parameters)
SIEM Query:
source="medical_device" AND (url="*[contains(*)]*" OR url="*'*" OR status=200 AND user="anonymous")🔗 References
- https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html
- https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02
- https://www.bbraun.com/en/products-and-therapies/services/b-braun-vulnerability-disclosure-policy/security-advisory.html
- https://www.cisa.gov/uscert/ics/advisories/icsma-20-296-02
