Illumina Universal Copy Service
Act Now10ICS-CERT ICSMA-23-117-01Apr 28, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Illumina Universal Copy Service (UCS) contains vulnerabilities in multiple sequencing instrument control and operating software versions that could allow remote code execution at the operating system level. These vulnerabilities affect iScan, iSeq 100, MiniSeq, MiSeq, MiSeqDx, NextSeq 500/550 series, and NovaSeq control and operating software. An attacker could alter settings, configurations, software, or data, and potentially interact through the affected product via a connected network. Illumina recommends users follow the UCS Vulnerability Instructions Guide based on their specific system configuration.
What this means
What could happen
An attacker with network access to an affected Illumina sequencing instrument could execute arbitrary commands at the operating system level, potentially halting genetic sequencing operations, corrupting sample data, or altering instrument calibration and settings critical to diagnostic accuracy.
Who's at risk
This affects clinical and research laboratories operating Illumina sequencing instruments for genetic testing, genomic research, and diagnostic workflows. Specifically impacted are organizations using iScan, iSeq 100, MiniSeq, MiSeq (including MiSeqDx), NextSeq 500/550 series (including NextSeq 550Dx), and NovaSeq 6000/control systems for DNA/RNA sequencing and variant analysis.
How it could be exploited
An attacker on the same network as the sequencing instrument (or Internet-accessible if not firewalled) could send specially crafted requests to the Universal Copy Service running on the affected control software. The service would execute the attacker's commands with operating system privileges, allowing full system compromise without requiring authentication.
Prerequisites
- Network connectivity to the affected sequencing instrument (local network or Internet if not firewalled)
- No authentication required
- Affected control or operating software version running on the instrument
Remotely exploitableNo authentication requiredLow complexity to exploitCVSS 10.0 (maximum severity)No patch available from vendorAffects diagnostic/analytical equipment with data integrity implications
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (13)
13 EOL
ProductAffected VersionsFix Status
iScan Control Software: 4.0.04.0.0No fix (EOL)
iScan Control Software: 4.0.54.0.5No fix (EOL)
iSeq 100: *All versionsNo fix (EOL)
MiniSeq Control Software: >= 2.0≥ 2.0No fix (EOL)
MiSeq Control Software: 4.04.0No fix (EOL)
MiSeqDx Operating Software: >= 4.0.1≥ 4.0.1No fix (EOL)
NextSeq 550Dx Control Software: 4.04.0No fix (EOL)
NextSeq 550Dx Operating Software: >= 1.0.0 | <= 1.3.1≥ 1.0.0 | ≤ 1.3.1No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/4HOTFIXReview and apply mitigations from Illumina's UCS Vulnerability Instructions Guide specific to your instrument models and software versions
WORKAROUNDRestrict network access to sequencing instruments by implementing firewall rules to block inbound connections from untrusted networks
HARDENINGIsolate sequencing instrument networks from business and Internet-facing networks using network segmentation or air-gapping
HARDENINGIf remote access is required, implement VPN with multi-factor authentication and ensure VPN software is kept current
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGPerform impact analysis before deploying any defensive measures to ensure changes do not interrupt sequencing workflows
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/392d9f67-1d02-42ec-8761-a2a0ac898bdf