CVE-2024-48967 CRITICAL

CVE-2024-48967: Life2000 ventilator and Service PC lack sufficient audit logging capabilities

Vendor Baxter
Product Life2000 Ventilation System
Weakness CWE-778
Published November 14, 2024
Last update November 15, 2024

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

The ventilator and the Service PC lack sufficient audit logging capabilities to allow for detection of malicious activity and subsequent forensic examination. An attacker with access to the ventilator and/or the Service PC could, without detection, make unauthorized changes to ventilator settings that result in unauthorized disclosure of information and/or have unintended impacts on device performance.

Key dates

02Disclosure timeline

November 14, 2024 CVE published
November 15, 2024 Record updated