Patch Issued to Fix Critical RCE Vulnerability in ZOLL Defibrillator Dashboard
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning about 6 vulnerabilities in the ZOLL Defibrillator Dashboard, including one critical 9.9 severity remote code execution flaw.
The vulnerabilities were reported to CISA anonymously and affect all versions of the ZOLL Defibrillator Dashboard prior to version 2.2. Some of the flaws can be exploited remotely and require a low level of skill to exploit.
Exploitation of the vulnerabilities could allow non-admin users to achieve remote code execution and steal credentials, which would impact the confidentiality, integrity, and availability of the application.
ZOLL has confirmed that all 6 vulnerabilities have been fixed in version 2.2 of the ZOLL Defibrillator Dashboard. Customers have been advised to upgrade the solution to version 2.2 or later as soon as possible. ZOLL also explained that in the event of any discrepancy with the Defibrillator Dashboard, the defibrillator device should be considered the source of accurate data.
The vulnerabilities are as follows:
|Vulnerability||CVSS Severity Score||Description||Risk|
|CVE-2021-27489||9.9||Unrestricted file upload||Remote code execution|
|CVE-2021-27481||7.1||Hard-coded cryptographic key||Theft of sensitive information|
|CVE-2021-27487||7.1||Sensitive data stored in cleartext||Theft of sensitive information|
|CVE-2021-27485||7.1||Passwords stored in recoverable format||Theft of credentials|
|CVE-2021-27483||5.3||Improper privilege management||Elevation of privileges to administrator level|
|CVE-2021-27479||4.6||Improper neutralization of input during web page generation||Injection of malicious scripts to be executed by higher privilege users|
There are not believed to have been any attempted exploits of the vulnerabilities in the wild.