Advisory - Hillrom Medical Device Management


The electronics and IT technology embedded in medical devices and Healthcare IT systems is contributing to greater precision in healthcare. However it is now among the sectors most targeted by cyberattacks globally, including Ransomware attacks.

Recently, CVE-2022-26388 and CVE-2022-26389 have been published regarding a healthcare device - Electrocardiograph machines.

CVE-2022-26388, which has a Medium CVSS rating of 6.4, is a 'use of hard-coded password' vulnerability. The products affected use hard-coded passwords for inbound authentication or outbound communication to external components. This vulnerability has a low attack complexity. An adversary can exploit it and compromise data and other user credentials, causing essentially a breakdown of the healthcare services.

Hard coded passwords and passwords logged in cleartext appear predominantly in hardware devices such as routers, switches, cameras and such others which are difficult to service, and are usually embedded in firmware code for "ease of support". A quick search for "hardcoded password" on shows that since 2015 the count of "hard coded password" vulnerabilities has consistently increased, reaching 63 for 2021.

CVE-2022-26389, which has a high CVSS rating of 7.7, is a vulnerability caused by improper access control because software does not restrict or incorrectly restricts access to a resource from an authorised actor. This vulnerability has a high attack complexity. Broken or improper access control issues are among the most frequently found during our pen-tests, and is the first among OWASP top 10 2021.


Update to the lastest version of the software as soon as possible.

If update is not a feasible option, then there are some workarounds by Hillrom that would reduce the risk considerably:

  1. Apply proper network and physical security controls.
  2. Ensure a unique encryption key is configured for the devices.
  3. Where possible, use a firewall.





Authors: Narendra Kumawat, Mahesh Saptarshi

For more information


For all your software product security and IT security compliance requirements

Contact us ☎