The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. NOTE: this issue might overlap CVE-2015-3459.
"}],"value":"The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. NOTE: this issue might overlap CVE-2015-3459."}],"metrics":[{"cvssV2_0":{"accessComplexity":"HIGH","accessVector":"NETWORK","authentication":"NONE","availabilityImpact":"COMPLETE","baseScore":7.6,"confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","vectorString":"AV:N/AC:H/Au:N/C:C/I:C/A:C","version":"2.0"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-345","description":"CWE-345","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","shortName":"icscert","dateUpdated":"2025-11-03T18:34:36.324Z"},"references":[{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-15-125-01"},{"tags":["x_refsource_MISC"],"url":"http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm"},{"tags":["x_refsource_MISC"],"url":"https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/"},{"url":"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2015/icsa-15-125-01.json"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"ICS-CERT has been working with Hospira since May 2014 to address the \nvulnerabilities in the LifeCare PCA Infusion System. Hospira has \ndeveloped a new version of the PCS Infusion System, Version 7.0 that \naddresses the identified vulnerabilities. According to Hospira, \nVersion 7.0 has Port 20/FTP and Port 23/TELNET closed by default to \nprevent unauthorized access. Existing PCA Infusion Systems running \nVersion 5.0 can be upgraded to Version 7.0 when it becomes available. \nHospira’s Version 7.0 is being reviewed by the FDA prior to its release.\n The release date for Version 7.0 of the LifeCare PCA Infusion System \nhas not been determined.
\nFor additional information about Hospira’s new release, contact Hospira’s technical support at 1‑800-241-4002.
\n\n