Home Hacking News MDhex Vulnerabilities Discovered In GE Healthcare Medical Devices
Hacking NewsLatest Cyber Security News | Network Security HackingNewsVulnerabilities

MDhex Vulnerabilities Discovered In GE Healthcare Medical Devices

by Abeerah Hashim
written by Abeerah Hashim
MDhex vulnerabilities in GE Healthcare medical devices

Researchers have discovered six different critical MDhex vulnerabilities, in medical devices. These vulnerabilities, upon exploitation, could allow an adversary to mess with devices’ functionality or render them useless.

MDhex Vulnerabilities In Medical Devices

The CyberMDX research team have discovered multiple security vulnerabilities in medical devices. Dubbed MDhex, these six vulnerabilities existed in GE Healthcare’s CARESCAPE patient monitoring devices. The researchers have elaborated on their findings in a blog post.

In brief, five of the six vulnerabilities attained critical severity ratings with a CVSS score of 10.0. These include a SSH Vulnerability exposing private key (CVE-2020-6961), a SMB vulnerability allowing remote connection to read/write files on the system (CVE-2020-6963), MultiMouse / Kavoom KM vulnerability allowing remote control (CVE-2020-6964), vulnerability in VNC software allowing remote control (CVE-2020-6966), and deprecated Webmin version triggering numerous bugs (CVE-2020-6962).

The sixth bug was a GE update management Vulnerability (CVE-2020-6965). This was a high severity vulnerability that received a CVSS score of 8.5.

Patches Rolled Out

The team Cyber MDX found these bugs in September 2019. They informed GE Healthcare about the flaws, and, in collaboration with CISA, the vendors patched the flaws.

These vulnerabilities affected the following devices.

  • Central Information Center (CIC), versions 4.x and 5.x
  • Apex Pro Telemetry Server/Tower, versions 4.2 and earlier
  • CARESCAPE Central Station (CSCS), versions 1.x and 2.x
  • CARESCAPE Telemetry Server, versions 4.3, 4.2 and prior
  • B450 patient monitor, version 2.x
  • B650 patient monitor, versions 1.x and 2.x
  • B850 patient monitor, versions 1.x and 2.x

Following the release of patches, researches have now disclosed the vulnerabilities following responsible disclosure protocol. They have also shared the details about possible mitigations and recommendations for every vulnerability in their report. The CISA has also shared an advisory sharing the mitigations and best practices recommended by GE.

For now, GE has confirmed no active exploitation of any of the vulnerabilities in the wild.

Let us know your thoughts in the comments.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

You may also like

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall...

Personal Data Exposed in Massive Global Hack: Understanding...

Guardz Welcomes SentinelOne as Strategic Partner and Investor...

Invision Community Vulnerabilities Risk E-Commerce Websites

Microsoft April Patch Tuesday Fixes Dozens of RCE...

Match Systems publishes report on the consequences of...

Cypago Announces New Automation Support for AI Security...

LayerSlider WordPress Plugin Vulnerability Affected Thousands Of Websites

OWASP Disclosed Data Breach Affecting Old Members

Center Identity Launches Patented Passwordless Authentication for Businesses