Hillrom Medical Device Management
Monitor7.7ICS-CERT ICSMA-22-167-01Jun 16, 2022
Attack VectorNetwork
Auth RequiredLow
ComplexityHigh
User InteractionNone needed
Summary
Welch Allyn ELI series resting electrocardiograph devices contain hardcoded credentials and improper access control vulnerabilities (CWE-259, CWE-284) that allow authenticated attackers to execute arbitrary commands with elevated privileges. Successful exploitation could enable command execution, privilege escalation, sensitive data disclosure, and detection evasion. Affected models include ELI 150c, 250c, 280, and 380. No public exploits are currently known. Hillrom has committed to software updates for all models but availability ranges from May 2022 (ELI 280) to Q4 2023 (ELI 150c and 380).
What this means
What could happen
An attacker with network access and low-privilege credentials could execute arbitrary commands on Welch Allyn electrocardiograph devices, potentially exfiltrating patient data, disabling devices, or altering diagnostic records that clinicians rely on for patient care decisions.
Who's at risk
Hospital IT and biomedical teams who operate Welch Allyn ELI series resting electrocardiograph devices. This affects any healthcare facility using ELI 150c, 250c, 280, or 380 models for cardiac diagnostics and monitoring.
How it could be exploited
An attacker on the hospital network who obtains low-privilege credentials (such as a standard user account) could authenticate to the device via unencrypted protocols (FTP, SSH, or Telnet) and execute arbitrary commands with escalated privileges. The device stores encryption keys and sensitive configuration data that could be read and potentially used to compromise other ELI Link networked devices.
Prerequisites
- Network access to the electrocardiograph device (ports 21 FTP, 22 SSH, or 23 Telnet)
- Valid low-privilege user credentials for device access
- No encryption key configured for ELI Link and Cardiograph (if using default configuration)
remotely exploitablerequires valid credentialsno public exploit availableaffects medical diagnostic equipmentlow patch availability (dates are in past/future with delays)unencrypted protocols (FTP, SSH, Telnet)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (4)
4 EOL
ProductAffected VersionsFix Status
Welch Allyn ELI 250c/BUR 250c Resting Electrocardiograph:≤ 2.1.2No fix (EOL)
Welch Allyn ELI 380 Resting Electrocardiograph:≤ 2.6.0No fix (EOL)
Welch Allyn ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph:≤ 2.2.0No fix (EOL)
Welch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph:≤ 2.3.1No fix (EOL)
Remediation & Mitigation
0/7
Do now
0/2WORKAROUNDConfigure unique encryption key for ELI Link and Cardiograph on all devices
WORKAROUNDBlock access to ports 21 (FTP), 22 (SSH), and 23 (Telnet) using firewall rules
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpgrade Welch Allyn ELI 380 to fixed firmware version (available by Q4 2023)
HOTFIXUpgrade Welch Allyn ELI 280/BUR280/MLBUR 280 to fixed firmware version (available May 2022)
HOTFIXUpgrade Welch Allyn ELI 150c/BUR 150c/MLBUR 150c to fixed firmware version (available by Q4 2023)
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: Welch Allyn ELI 250c/BUR 250c Resting Electrocardiograph:, Welch Allyn ELI 380 Resting Electrocardiograph:, Welch Allyn ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph:, Welch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph:. Apply the following compensating controls:
HARDENINGIsolate electrocardiograph devices from business network and place behind firewall
HARDENINGMinimize direct Internet exposure of medical device network
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/c74b3326-7776-4d86-8aca-eec100910e95