CVE-2014-5406

Hospira Lifecare Pcainfusion Firmware < 5.0 - Data Authenticity Bypass

Title source: rule

Description

The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. NOTE: this issue might overlap CVE-2015-3459.

References (5)

Core 5

Core References

Third Party Advisory, US Government Resource x_refsource_misc

http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm

Various Sources x_refsource_misc

https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/

Third Party Advisory, US Government Resource

https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01

Various Sources

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2015/icsa-15-125-01.json

View Writeup ZIP pw:eip

Third Party Advisory, US Government Resource

https://www.cisa.gov/news-events/ics-advisories/icsa-15-125-01

Scores

EPSS 0.0055

EPSS Percentile 68.1%

Details

CWE

CWE-345

Status published

Products (3)

Hospira/LifeCare PCA Infusion System < 5.0

Hospira/LifeCare PCA Infusion System 7.0

hospira/lifecare_pcainfusion_firmware < 5.0

Published Jul 06, 2015

Tracked Since Feb 18, 2026