25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Critical Vulnerabilities identified in MesaLabs Laboratory Temperature Monitoring System

Posted By on Jun 2, 2021

Five vulnerabilities have been identified in the MesaLabs AmegaView continuous monitoring system used in hospital laboratories, forensics labs, and biotech firms. Two of the flaws are critical command injection vulnerabilities with CVSS severity scores of 9.9/10 and 10/10. The vulnerabilities affect AmegaView Versions 3.0 and prior and were identified by Stephen Yackey of Securifera.

In order of severity, the vulnerabilities are as follows:

  • CVE-2021-27447 – CVSS 10/10 – Flaw due to improper neutralization of special elements used in a command, which could allow an attacker to execute arbitrary code.
  • CVE-2021-27449 – CVSS 9.9/10 – Flaw due to improper neutralization of special elements used in a command, which could allow an attacker to execute commands in the web server.
  • CVE-2021-27445 – CVSS 7.8/10 – Insecure file permissions which could be exploited to elevate privileges on the device.
  • CVE-2021-27451 – CVSS 7.3/10 – Improper authentication due to passcodes being generated by an easily reversible algorithm, which could allow an attacker to gain access to the device.
  • CVE-2021-27453 – CVSS 7.3/10 – Authentication bypass issue that could allow an attacker to gain access to the web application.

There are currently no public exploits that specifically target these vulnerabilities. Since AmegaView reaches end-of-life at the end of this year, MesaLabs has taken the decision not to release patches to correct the vulnerabilities. Instead, all users of the vulnerable products have been advised to upgrade to newer Viewpoint software compatible with AmegaView hardware.

Should this not be possible, or until it is, it is recommended to locate vulnerable products behind firewalls and to isolate them from the network and ensure they are not accessible from the Internet. If remote access is required, Virtual Private Networks (VPNs) should be required for access, and VPNs should be updated to the most current version.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Prior to implementing any new defensive measures, an impact analysis and risk assessment should be performed.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist