CVE-2021-27410

moderate-risk

Published 2021-06-11

The affected product is vulnerable to an out-of-bounds write, which may result in corruption of data or code execution on the Welch Allyn medical device management tools (Welch Allyn Service Tool: versions prior to v1.10, Welch Allyn Connex Device Integration Suite – Network Connectivity Engine (NCE): versions prior to v5.3, Welch Allyn Software Development Kit (SDK): versions prior to v3.2, Welch Allyn Connex Central Station (CS): versions prior to v1.8.6, Welch Allyn Service Monitor: versions prior to v1.7.0.0, Welch Allyn Connex Vital Signs Monitor (CVSM): versions prior to v2.43.02, Welch Allyn Connex Integrated Wall System (CIWS): versions prior to v2.43.02, Welch Allyn Connex Spot Monitor (CSM): versions prior to v1.52, Welch Allyn Spot Vital Signs 4400 Device (Spot 4400) / Welch Allyn Spot 4400 Vital Signs Extended Care Device: versions prior to v1.11.00).

Do I need to act?

0.29% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (10)

Connex Central Station

Connex Device Integration Suite Network Connectivity Engine

Connex Integrated Wall System

Connex Spot Monitor

Connex Vital Signs Monitor

Service Monitor

Service Tool

Software Development Kit

Spot Vital Signs 4400

Affected Vendors

Hillrom

References (2)

Mitigation https://us-cert.cisa.gov/ics/advisories/icsma-21-152-01

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 1/34 · Minimal

Exposure 16/34 · Moderate