CVE-2022-29875
📋 TL;DR
This vulnerability allows unauthenticated remote code execution on Siemens Healthineers medical imaging systems through insecure deserialization of untrusted data. Attackers can exploit this by sending malicious data to ports 32912/tcp or 32914/tcp. Affected systems include PET/CT scanners, MRI machines, mammography systems, and medical imaging software from Siemens Healthineers.
💻 Affected Systems
- Biograph Horizon PET/CT Systems
- MAGNETOM Family
- MAMMOMAT Revelation
- NAEOTOM Alpha
- SOMATOM X.cite
- SOMATOM X.creed
- SOMATOM go.All
- SOMATOM go.Now
- SOMATOM go.Open Pro
- SOMATOM go.Sim
- SOMATOM go.Top
- SOMATOM go.Up
- Symbia E/S
- Symbia Evo
- Symbia Intevo
- Symbia T
- Symbia.net
- syngo.via VB10
- syngo.via VB20
- syngo.via VB30
- syngo.via VB40
- syngo.via VB50
- syngo.via VB60
📦 What is this software?
Biograph Horizon Pet\/ct Systems Firmware by Siemens
View all CVEs affecting Biograph Horizon Pet\/ct Systems Firmware →
Symbia.net by Siemens
Syngo.via by Siemens
Syngo.via by Siemens
Syngo.via by Siemens
Syngo.via by Siemens
Syngo.via by Siemens
Syngo.via by Siemens
Syngo.via by Siemens
Syngo.via by Siemens
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, potentially disrupting medical imaging operations, stealing patient data, or using the system as a foothold into hospital networks.
Likely Case
Remote code execution leading to system disruption, data theft, or ransomware deployment on medical imaging equipment.
If Mitigated
Limited impact if network segmentation prevents access to vulnerable ports and systems are properly isolated.
🎯 Exploit Status
CVSS 9.8 indicates critical severity with low attack complexity and no authentication required. While no public PoC exists, the vulnerability type (deserialization) is well-understood and weaponization is likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Product-specific - VJ30C-UD01, VC20D, VA40 SP2, VA30 SP5, VB22A-UD03, VB40B HF06, VB60B HF02 depending on product
Vendor Advisory: https://www.siemens-healthineers.com/support-documentation/cybersecurity/shsa-455016
Restart Required: Yes
Instructions:
1. Contact Siemens Healthineers for appropriate patches. 2. Schedule maintenance window. 3. Apply vendor-provided updates. 4. Restart affected systems. 5. Verify patch application.
🔧 Temporary Workarounds
Network Segmentation
allBlock access to vulnerable ports 32912/tcp and 32914/tcp using firewalls or network access controls
# Example firewall rule (adjust for your environment)
iptables -A INPUT -p tcp --dport 32912 -j DROP
iptables -A INPUT -p tcp --dport 32914 -j DROP
Network Isolation
allPlace affected medical devices on isolated VLANs with strict access controls
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from untrusted networks
- Deploy intrusion detection/prevention systems to monitor traffic on ports 32912/tcp and 32914/tcp
🔍 How to Verify
Check if Vulnerable:
Check system version against vendor advisory and verify if ports 32912/tcp or 32914/tcp are listening using network scanning toolsCheck Version:
System-specific - consult Siemens Healthineers documentation for version checking procedures on each affected platformVerify Fix Applied:
Verify system version matches patched versions listed in vendor advisory and confirm patches are applied through vendor documentation📡 Detection & Monitoring
Log Indicators:
- Unusual network connections to ports 32912/tcp or 32914/tcp
- Unexpected process execution on medical imaging systems
- System crashes or abnormal behavior on affected devices
Network Indicators:
- Traffic to ports 32912/tcp or 32914/tcp from unexpected sources
- Malformed serialized data packets to these ports
SIEM Query:
destination_port IN (32912, 32914) AND (device_type CONTAINS 'Siemens' OR device_type CONTAINS 'Healthineers')