Vulnerability Details : CVE-2015-3956
Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior accept drug libraries, firmware updates, pump commands, and unauthorized configuration changes from unauthenticated devices on the host network. Hospira recommends that customers close Port 20/FTP and Port 23/TELNET on the affected devices. Hospira has also released the Plum 360 Infusion System which is not vulnerable to this issue.
Products affected by CVE-2015-3956
- cpe:2.3:o:pifzer:plum_a\+_infusion_system_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pifzer:plum_a\+3_infusion_system_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:pifzer:symbiq_infusion_system_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-3956
0.21%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-3956
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2015-3956
-
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.Assigned by:
- ics-cert@hq.dhs.gov (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2015-3956
-
https://ics-cert.us-cert.gov/advisories/ICSA-15-161-01
Hospira Plum A+ and Symbiq Infusion Systems Vulnerabilities | CISAMitigation;US Government Resource;Third Party Advisory
Jump to