Aethon TUG Home Base Server

Plan PatchCVSS 9.8ICS-CERT ICSA-22-102-05Apr 12, 2022

Healthcare

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Aethon TUG Home Base Server contains multiple vulnerabilities affecting authorization (CWE-862), secure communication (CWE-300), and input handling (CWE-79). The server controls and communicates with autonomous mobile robots deployed in hospital environments. Successful exploitation could result in denial-of-service, unauthorized control of robot functions, or exposure of sensitive information. Aethon has implemented a mitigation plan focusing on firewall deployment and software updates to Version 24, but no permanent patch is available for all instances.

What this means

What could happen

An attacker could take control of hospital autonomous mobile robots, stop them from operating, or access sensitive patient or operational data. This could disrupt medication delivery, sample transport, or other critical hospital logistics.

Who's at risk

Healthcare organizations operating Aethon TUG autonomous mobile robots should care about this vulnerability. The TUG system is used to transport medications, lab samples, and other materials within hospitals, making disruption or compromise directly relevant to patient care delivery and hospital operations.

How it could be exploited

An attacker with network access to the TUG Home Base Server could exploit missing authorization controls, weak communication security, or input validation flaws to issue unauthorized commands to connected robots or extract sensitive data from the server without requiring credentials.

Prerequisites

Network access to the TUG Home Base Server (direct or through compromised hospital network)
No authentication required for exploitation of the authorization vulnerabilities

remotely exploitableno authentication requiredlow complexityaffects safety/operational systems (hospital robot fleet)no patch available for all instances

Exploitability

Unlikely to be exploited — EPSS score 0.9%

Affected products (1)

ProductAffected VersionsFix Status

TUG Home Base Server a server used to control and communicate with autonomous mobile robots in hospitals: All< 24No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDActivate firewalls to block unauthorized network access to the TUG Home Base Server; isolate the robot control network from the hospital business network and internet

WORKAROUNDContact Aethon directly for additional mitigation guidance specific to your deployment

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate TUG Home Base Server to Version 24 (the latest available software release from Aethon)

Mitigations - no patch available

0/2

TUG Home Base Server a server used to control and communicate with autonomous mobile robots in hospitals: All has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to ensure the TUG control system is not reachable from the internet or unsecured networks

HARDENINGIf remote access is required for monitoring or maintenance, implement a VPN with current security updates and restrict access to authorized personnel only

CVEs (5)

CVE-2022-1066 CVE-2022-26423 CVE-2022-1070 CVE-2022-27494 CVE-2022-1059

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a787fe35-bf2d-4205-89d9-558ad4657b96

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.