{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Ultrasound ClearVue","vendor":"Philips","versions":[{"lessThan":"versions 3.2","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"Ultrasound CX","vendor":"Philips","versions":[{"lessThan":"versions 5.0.2","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"Ultrasound EPIQ/Affiniti","vendor":"Philips","versions":[{"lessThan":"versions VM5.0","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"Ultrasound Sparq","vendor":"Philips","versions":[{"lessThan":"version 3.0.2","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"Ultrasound Xperius","vendor":"Philips","versions":[{"status":"affected","version":"all versions"}]}],"credits":[{"lang":"en","type":"finder","value":"Philips reported this vulnerability to CISA."}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>In Philips Ultrasound ClearVue Versions 3.2 and prior, Ultrasound CX Versions 5.0.2 and prior, Ultrasound EPIQ/Affiniti Versions VM5.0 and prior, Ultrasound Sparq Version 3.0.2 and prior and Ultrasound Xperius all versions, an attacker may use an alternate path or channel that does not require authentication of the alternate service login to view or modify information.</p>"}],"value":"In Philips Ultrasound ClearVue Versions 3.2 and prior, Ultrasound CX Versions 5.0.2 and prior, Ultrasound EPIQ/Affiniti Versions VM5.0 and prior, Ultrasound Sparq Version 3.0.2 and prior and Ultrasound Xperius all versions, an attacker may use an alternate path or channel that does not require authentication of the alternate service login to view or modify information."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":3.6,"baseSeverity":"LOW","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-288","description":"CWE-288","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","shortName":"icscert","dateUpdated":"2025-06-04T21:56:59.294Z"},"references":[{"tags":["x_refsource_MISC"],"url":"https://www.us-cert.gov/ics/advisories/icsma-20-177-01"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Philips released Ultrasound EPIQ/Affiniti Version VM6.0 in April 2020\n and recommends users with the Ultrasound EPIQ/Affiniti systems to \ncontact their local Philips service support team, or regional service \nsupport for installation information.</p>\n<p>Philips is currently planning the following new releases:</p>\n<ul>\n<li>Ultrasound ClearVue Version 3.3 release in Q4 2020</li>\n<li>Ultrasound CX Version 5.0.3 release in Q4 2020</li>\n<li>Ultrasound Sparq Version 3.0.3 release in Q4 2020</li>\n</ul>\n<p>As an interim mitigation to this vulnerability, Philips recommends \ncustomers ensure service providers can guarantee installed device \nintegrity during all service and repair operations.</p>\n<p>Users with questions regarding their specific Ultrasound installation\n should contact the Philips service support team or regional service \nsupport.</p><p>Users can contact <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.usa.philips.com/healthcare/solutions/customer-service-solutions\">Philips customer service</a>, and find more details in the <a target=\"_blank\" rel=\"nofollow\" href=\"http://www.philips.com/productsecurity\">Philips advisory </a>(external link). Please see the <a target=\"_blank\" rel=\"nofollow\" href=\"http://www.philips.com/productsecurity\">Philips product security website</a> for the latest security information for Philips products.\n\n<br></p>"}],"value":"Philips released Ultrasound EPIQ/Affiniti Version VM6.0 in April 2020\n and recommends users with the Ultrasound EPIQ/Affiniti systems to \ncontact their local Philips service support team, or regional service \nsupport for installation information.\n\n\nPhilips is currently planning the following new releases:\n\n\n\n  *  Ultrasound ClearVue Version 3.3 release in Q4 2020\n\n  *  Ultrasound CX Version 5.0.3 release in Q4 2020\n\n  *  Ultrasound Sparq Version 3.0.3 release in Q4 2020\n\n\n\n\nAs an interim mitigation to this vulnerability, Philips recommends \ncustomers ensure service providers can guarantee installed device \nintegrity during all service and repair operations.\n\n\nUsers with questions regarding their specific Ultrasound installation\n should contact the Philips service support team or regional service \nsupport.\n\nUsers can contact  Philips customer service https://www.usa.philips.com/healthcare/solutions/customer-service-solutions , and find more details in the  Philips advisory  http://www.philips.com/productsecurity (external link). Please see the  Philips product security website http://www.philips.com/productsecurity  for the latest security information for Philips products."}],"source":{"advisory":"ICSMA-20-177-01","discovery":"INTERNAL"},"title":"Philips Ultrasound Systems Authentication Bypass Using an Alternate Path or Channel","x_generator":{"engine":"Vulnogram 0.2.0"},"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"ics-cert@hq.dhs.gov","ID":"CVE-2020-14477","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Philips Ultrasound ClearVue","version":{"version_data":[{"version_value":"versions 3.2 and prior"}]}},{"product_name":"Ultrasound CX","version":{"version_data":[{"version_value":"versions 5.0.2 and prior"}]}},{"product_name":"Ultrasound EPIQ/Affiniti","version":{"version_data":[{"version_value":"versions VM5.0 and prior"}]}},{"product_name":"Ultrasound Sparq","version":{"version_data":[{"version_value":"version 3.0.2 and prior"}]}},{"product_name":"Ultrasound Xperius","version":{"version_data":[{"version_value":"all versions"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In Philips Ultrasound ClearVue Versions 3.2 and prior, Ultrasound CX Versions 5.0.2 and prior, Ultrasound EPIQ/Affiniti Versions VM5.0 and prior, Ultrasound Sparq Version 3.0.2 and prior and Ultrasound Xperius all versions, an attacker may use an alternate path or channel that does not require authentication of the alternate service login to view or modify information."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL CWE-288"}]}]},"references":{"reference_data":[{"name":"https://www.us-cert.gov/ics/advisories/icsma-20-177-01","refsource":"MISC","url":"https://www.us-cert.gov/ics/advisories/icsma-20-177-01"}]}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T12:46:34.685Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.us-cert.gov/ics/advisories/icsma-20-177-01"}]}]},"cveMetadata":{"assignerOrgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","assignerShortName":"icscert","cveId":"CVE-2020-14477","datePublished":"2020-06-26T16:15:14.000Z","dateReserved":"2020-06-19T00:00:00.000Z","dateUpdated":"2025-06-04T21:56:59.294Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}