Siemens HiMed Cockpit

Plan Patch8.5ICS-CERT ICSA-24-284-08Oct 8, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

HiMed Cockpit devices running software versions V11.5.1 through V11.6.1 contain a kiosk mode escape vulnerability (CWE-424). An attacker with local access could break out of the restricted kiosk interface and access the underlying operating system. Siemens has released a patch addressing this issue. The vulnerability is not remotely exploitable and no active exploitation has been reported.

What this means

What could happen

An attacker with local access to a HiMed Cockpit device could escape the restricted kiosk interface and gain direct access to the underlying operating system, potentially allowing them to modify medical device settings or disable clinical operations.

Who's at risk

Medical device operators and clinical engineering teams managing Siemens HiMed Cockpit systems in hospitals and medical facilities. Affected equipment includes HiMed Cockpit 12 pro, 14 pro+, 18 pro, and 18 pro+ devices running older firmware versions, which are commonly used in diagnostic and clinical imaging environments.

How it could be exploited

An attacker with physical or local network access to a HiMed Cockpit device could exploit the kiosk mode escape vulnerability to break out of the restricted environment. Once the kiosk is bypassed, the attacker has access to the underlying OS and can execute arbitrary commands.

Prerequisites

Local access to the HiMed Cockpit device (physical or local network)
Device running HiMed Cockpit software version V11.5.1 or later but before V11.6.2

Local access required only (not remotely exploitable)Low EPSS score (0.1%)No known active exploitationAffects safety-critical medical devices

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

HiMed Cockpit 12 pro≥ V11.5.1|<V11.6.211.6.2

HiMed Cockpit 14 pro+≥ V11.5.1|<V11.6.211.6.2

HiMed Cockpit 18 pro≥ V11.5.1|<V11.6.211.6.2

HiMed Cockpit 18 pro+≥ V11.5.1|<V11.6.211.6.2

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict physical and network access to HiMed Cockpit devices to authorized personnel only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all HiMed Cockpit devices (12 pro, 14 pro+, 18 pro, 18 pro+) to version V11.6.2 or later

Long-term hardening

0/2

HARDENINGPlace HiMed Cockpit devices behind firewalls and isolate from business networks

HARDENINGImplement VPN or other secure remote access controls if remote access to devices is required

CVEs (1)

CVE-2023-52952

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/94b9a638-2362-4469-9c8e-afebe374fb6f