B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus

Plan Patch7.6ICS-CERT ICSMA-20-296-02Oct 22, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus devices contain multiple vulnerabilities that could allow an attacker to escalate privileges, view sensitive information, upload arbitrary files, and perform remote code execution. Affected versions: SpaceCom software U61 or earlier (U versions, US/Canada) or L81 or earlier (L versions, outside US/Canada); Battery pack with Wi-Fi software U61 or earlier (U versions) or L81 or earlier (L versions); Data module compactplus software A10 or A11. The vulnerabilities include cross-site scripting (CWE-79), open redirect (CWE-601), XPath injection (CWE-643), insufficient session expiration (CWE-384), plaintext password storage (CWE-759), path traversal (CWE-23), invalid signature verification (CWE-347), and hard-coded credentials (CWE-798).

What this means

What could happen

An attacker could gain control of infusion pump communication and monitoring systems, potentially altering medication delivery settings, stopping pump operations, or accessing patient data. These devices are critical to patient safety in healthcare delivery environments.

Who's at risk

Healthcare facilities using B. Braun SpaceCom networked infusion pump systems, Battery Pack SP with Wi-Fi modules, and Data module compactplus devices should review their deployments. SpaceCom is used for centralized monitoring and control of infusion pumps in hospital settings. Battery Pack SP with Wi-Fi provides wireless connectivity for mobile infusion pump systems. These devices are critical to patient medication delivery and are typically found in acute care units, ICUs, and operating rooms.

How it could be exploited

An attacker with network access to the device could exploit cross-site scripting or open redirect vulnerabilities to trick an administrator into visiting a malicious site or uploading crafted files. Once authenticated (or via hard-coded credentials if discovered), the attacker could exploit path traversal, XPath injection, or signature verification flaws to upload arbitrary firmware, execute commands on the device, or escalate privileges to full system control.

Prerequisites

Network access to SpaceCom or Battery Pack SP with Wi-Fi web interface or API
Valid user account or discovery of hard-coded credentials
Administrator interaction for some exploit paths (social engineering via open redirect or cross-site scripting)
Device must be running software version U61 or earlier (U variants, US/Canada) or L81 or earlier (L variants, outside US/Canada)

Remotely exploitableLow complexity attackHard-coded credentials possibleNo patch available for Data module compactplus A10/A11Affects patient safety-critical systemsMultiple authentication and authorization flawsFile upload capabilities without proper validation

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (3)

1 with fix1 pending1 EOL

ProductAffected VersionsFix Status

Battery pack with Wi-Fi: software≤ U61 |≤ L81No fix yet

SpaceCom: software≤ U61 |≤ L81012U000093 (U.S./Canada) or 011L000093 (outside U.S./Canada)

Data module compactplus: softwareA10 | A11No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGConduct a network scan to identify any exposed instances of these devices and any unauthorized access attempts in logs

WORKAROUNDReview and disable any unnecessary remote management or web interfaces on the devices if clinical operations permit

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SpaceCom software to version 012U000093 (U.S./Canada) or 011L000093 (outside U.S./Canada)

HOTFIXUpdate Battery Pack SP with Wi-Fi software to 028U00093 for SN 138852 and lower or 054U00093 for SN 138853 and higher (U.S./Canada); or 027L000093 for SN below 138853 or 053L00093 for SN 138853 and higher (outside U.S./Canada)

HOTFIXContact B. Braun Technical Support for Data module compactplus remediation; no public software update identified for A10 or A11 versions

Mitigations - no patch available

0/1

Data module compactplus: software has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment infusion pump communication devices from general hospital networks; restrict access to SpaceCom and Battery Pack Wi-Fi interfaces to authorized clinical engineering and IT staff only

CVEs (11)

CVE-2020-25158 CVE-2020-25154 CVE-2020-25162 CVE-2020-25152 CVE-2020-25164 CVE-2020-25150 CVE-2020-25166 CVE-2020-16238 CVE-2020-25168 CVE-2020-25156 CVE-2020-25160

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e0354659-d348-4b16-b9db-457b35d36720