Philips IntelliSpace Cardiovascular System Vulnerability

Monitor6.7ICS-CERT ICSMA-18-025-01Jan 25, 2018

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

IntelliSpace Cardiovascular versions 2.3.0 and earlier contain an insufficient session expiration vulnerability (CWE-613). An attacker with local access and valid user credentials could gain unauthorized access to sensitive patient information and clinical data stored on the system, potentially reading protected health information or modifying diagnostic parameters, treatment setpoints, or system configuration.

What this means

What could happen

An attacker with local access and valid user credentials could read and modify sensitive patient data or system configuration stored on the cardiovascular system, potentially compromising patient care decisions or diagnostic accuracy.

Who's at risk

Healthcare facilities using Philips IntelliSpace Cardiovascular systems for diagnostic imaging, hemodynamic monitoring, or interventional cardiology procedures. This affects cardiology departments, cath labs, and intensive care units that depend on this system for accurate patient data and clinical decision support.

How it could be exploited

An attacker must first gain local access to the IntelliSpace Cardiovascular system and have valid user credentials. They could then exploit this vulnerability to access the file system or database containing sensitive information, reading patient records or modifying clinical parameters without detection.

Prerequisites

Local physical access to the IntelliSpace Cardiovascular system
Valid user credentials (clinician or administrator login)
User interaction required (interactive session)

No patch availableRequires valid credentialsRequires local accessAffects patient safety systemsCWE-613 (Insufficient Session Expiration)

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

IntelliSpace Cardiovascular: <= 2.3.0≤ 2.3.0No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict physical and logical access to IntelliSpace Cardiovascular systems to authorized clinical staff only

HARDENINGImplement strong access controls and enforce unique, complex passwords for all user accounts

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor and log all access to patient data and system configuration on IntelliSpace systems

Mitigations - no patch available

0/1

IntelliSpace Cardiovascular: <= 2.3.0 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment the cardiovascular system network from general IT infrastructure where possible

CVEs (1)

CVE-2018-5438

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/093a52a8-d8cb-4d63-8807-77b983cd1bf1