CVE-2021-37167:

Privilege Escalation Vulnerability in Swisslog Healthcare Nexus Panel HMI3 Control Panel

Score
A numerical rating that indicates how dangerous this vulnerability is.

9.8Critical

Published Date:Aug 2, 2021
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:0.6
EPSS Percentile:69%

Exploitability

Score:3.9
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:5.9
Confidentiality Impact:HIGH
Integrity Impact:HIGH
Availability Impact:HIGH

Description Preview

Privilege Escalation Vulnerability in Swisslog Healthcare Nexus Panel HMI3 Control Panel

Overview

This vulnerability exists in the Swisslog Healthcare Nexus Panel HMI3 Control Panel, which is part of the pneumatic tube system (PTS) widely used in hospitals for transporting medications, lab samples, and other materials. The issue stems from improper privilege management that allows users with default credentials to escalate their privileges to root level. Once root access is obtained, an attacker could potentially control all aspects of the system, modify configurations, access sensitive data, or disrupt critical hospital operations. This vulnerability is part of a series of security issues discovered in the Swisslog PTS system, collectively known as "PwnedPiper."

Remediation

1. Update to Nexus Software version 7.2.5.7 or later, which contains fixes for this vulnerability.
2. Change all default credentials immediately, implementing strong password policies.
3. Implement network segmentation to isolate the PTS system from other hospital networks.
4. Restrict physical access to the Nexus Panel control systems.
5. Monitor system logs for unauthorized access attempts or suspicious activities.
6. Contact Swisslog Healthcare technical support for specific guidance on implementing security patches and best practices.
7. Conduct regular security assessments of the PTS system to identify and address potential vulnerabilities.