Illumina Universal Copy Service

Plan PatchCVSS 10ICS-CERT ICSMA-23-117-01Apr 28, 2023

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Illumina Universal Copy Service (UCS) contains vulnerabilities in multiple sequencing instrument control and operating software versions that could allow remote code execution at the operating system level. These vulnerabilities affect iScan, iSeq 100, MiniSeq, MiSeq, MiSeqDx, NextSeq 500/550 series, and NovaSeq control and operating software. An attacker could alter settings, configurations, software, or data, and potentially interact through the affected product via a connected network. Illumina recommends users follow the UCS Vulnerability Instructions Guide based on their specific system configuration.

What this means

What could happen

An attacker with network access to an affected Illumina sequencing instrument could execute arbitrary commands at the operating system level, potentially halting genetic sequencing operations, corrupting sample data, or altering instrument calibration and settings critical to diagnostic accuracy.

Who's at risk

This affects clinical and research laboratories operating Illumina sequencing instruments for genetic testing, genomic research, and diagnostic workflows. Specifically impacted are organizations using iScan, iSeq 100, MiniSeq, MiSeq (including MiSeqDx), NextSeq 500/550 series (including NextSeq 550Dx), and NovaSeq 6000/control systems for DNA/RNA sequencing and variant analysis.

How it could be exploited

An attacker on the same network as the sequencing instrument (or Internet-accessible if not firewalled) could send specially crafted requests to the Universal Copy Service running on the affected control software. The service would execute the attacker's commands with operating system privileges, allowing full system compromise without requiring authentication.

Prerequisites

Network connectivity to the affected sequencing instrument (local network or Internet if not firewalled)
No authentication required
Affected control or operating software version running on the instrument

Remotely exploitableNo authentication requiredLow complexity to exploitCVSS 10.0 (maximum severity)No patch available from vendorAffects diagnostic/analytical equipment with data integrity implications

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (13)

13 EOL

ProductAffected VersionsFix Status

iScan Control Software: 4.0.04.0.0No fix (EOL)

iScan Control Software: 4.0.54.0.5No fix (EOL)

iSeq 100: *All versionsNo fix (EOL)

MiniSeq Control Software: >= 2.0≥ 2.0No fix (EOL)

MiSeq Control Software: 4.04.0No fix (EOL)

MiSeqDx Operating Software: >= 4.0.1≥ 4.0.1No fix (EOL)

NextSeq 550Dx Control Software: 4.04.0No fix (EOL)

NextSeq 550Dx Operating Software: >= 1.0.0 | <= 1.3.1≥ 1.0.0 | ≤ 1.3.1No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/4

HOTFIXReview and apply mitigations from Illumina's UCS Vulnerability Instructions Guide specific to your instrument models and software versions

WORKAROUNDRestrict network access to sequencing instruments by implementing firewall rules to block inbound connections from untrusted networks

HARDENINGIsolate sequencing instrument networks from business and Internet-facing networks using network segmentation or air-gapping

HARDENINGIf remote access is required, implement VPN with multi-factor authentication and ensure VPN software is kept current

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGPerform impact analysis before deploying any defensive measures to ensure changes do not interrupt sequencing workflows

CVEs (2)

CVE-2023-1968 CVE-2023-1966

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/392d9f67-1d02-42ec-8761-a2a0ac898bdf

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.