CVE-2022-26389
Published: 07 February 2025
Description
An improper access control vulnerability may allow privilege escalation.This issue affects: * ELI 380 Resting Electrocardiograph: Versions 2.6.0 and prior; * ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph: Versions 2.3.1 and prior; * ELI 250c/BUR 250c Resting Electrocardiograph: Versions 2.1.2 and prior; * ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: Versions 2.2.0 and prior.
Security Summary
CVE-2022-26389 is an improper access control vulnerability (CWE-284) that may allow privilege escalation. It affects multiple models of Hillrom/Nationwide/Nihon Kohden resting electrocardiograph devices, including the ELI 380 (versions 2.6.0 and prior), ELI 280/BUR280/MLBUR 280 (versions 2.3.1 and prior), ELI 250c/BUR 250c (versions 2.1.2 and prior), and ELI 150c/BUR 150c/MLBUR 150c (versions 2.2.0 and prior). The vulnerability has a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H).
An attacker with low privileges (PR:L) could potentially exploit this vulnerability over the network (AV:N) without user interaction (UI:N), though it requires high attack complexity (AC:H). Successful exploitation would change scope (S:C), enabling limited confidentiality and integrity impacts (C:L/I:L) alongside high availability impact (A:H), consistent with the privilege escalation nature of the flaw.
Mitigation details are available in advisories from Hillrom at https://hillrom.com/en/responsible-disclosures/ and CISA ICSMA-22-167-01 at https://www.cisa.gov/news-events/ics-medical-advisories/icsma-22-167-01.
Details
- CWE(s)