CVE-2020-6965

CRITICAL

Gehealthcare Apexpro Telemetry Server... - Unrestricted File Upload

Title source: rule

Description

In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information Center (CIC) Versions 4.X and 5.X, CARESCAPE Central Station (CSCS) Versions 1.X, B450 Version 2.X, B650 Version 1.X, B650 Version 2.X, B850 Version 1.X, B850 Version 2.X, a vulnerability in the software update mechanism allows an authenticated attacker to upload arbitrary files on the system through a crafted update package.

References (2)

Core 2

Core References

Third Party Advisory, US Government Resource x_refsource_misc

https://www.us-cert.gov/ics/advisories/icsma-20-023-01

Product

https://www3.gehealthcare.com/~/media/downloads/us/support/site-planning/site-readiness/gehc-gateway_project_implementation_guide_pdf.pdf

Scores

CVSS v3 9.9

EPSS 0.0028

EPSS Percentile 51.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-434 CWE-20

Status published

Products (13)

gehealthcare/apexpro_telemetry_server_firmware < 4.2

gehealthcare/carescape_b450_monitor_firmware 2.0

gehealthcare/carescape_b650_monitor_firmware 1.0

gehealthcare/carescape_b650_monitor_firmware 2.0

gehealthcare/carescape_b850_monitor_firmware 1.0

gehealthcare/carescape_b850_monitor_firmware 2.0

gehealthcare/carescape_central_station_mai700_firmware 1.0

gehealthcare/carescape_central_station_mas700_firmware 1.0

gehealthcare/carescape_telemetry_server_mp100r_firmware < 4.2

gehealthcare/clinical_information_center_mp100d_firmware 4.0

... and 3 more

Published Jan 24, 2020

Tracked Since Feb 18, 2026