Patch Issued to Fix Critical RCE Vulnerability in ZOLL Defibrillator Dashboard

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning about 6 vulnerabilities in the ZOLL Defibrillator Dashboard, including one critical 9.9 severity remote code execution flaw.

The vulnerabilities were reported to CISA anonymously and affect all versions of the ZOLL Defibrillator Dashboard prior to version 2.2. Some of the flaws can be exploited remotely and require a low level of skill to exploit.

Exploitation of the vulnerabilities could allow non-admin users to achieve remote code execution and steal credentials, which would impact the confidentiality, integrity, and availability of the application.

ZOLL has confirmed that all 6 vulnerabilities have been fixed in version 2.2 of the ZOLL Defibrillator Dashboard. Customers have been advised to upgrade the solution to version 2.2 or later as soon as possible. ZOLL also explained that in the event of any discrepancy with the Defibrillator Dashboard, the defibrillator device should be considered the source of accurate data.

The vulnerabilities are as follows:

Vulnerability CVSS Severity Score Description Risk
CVE-2021-27489 9.9 Unrestricted file upload Remote code execution
CVE-2021-27481 7.1 Hard-coded cryptographic key Theft of sensitive information
CVE-2021-27487 7.1 Sensitive data stored in cleartext Theft of sensitive information
CVE-2021-27485 7.1 Passwords stored in recoverable format Theft of credentials
CVE-2021-27483 5.3 Improper privilege management Elevation of privileges to administrator level
CVE-2021-27479 4.6 Improper neutralization of input during web page generation Injection of malicious scripts to be executed by higher privilege users

There are not believed to have been any attempted exploits of the vulnerabilities in the wild.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.