25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Critical Vulnerability Identified in Fujifilm Computed Radiography Cassette Readers

Posted By on Apr 24, 2019

Two vulnerabilities have been identified in Fujifilm computed radiography cassette readers. If exploited, an attacker could gain access to the operating system, execute arbitrary code, render the devices inoperable, alter functionality, and cause image loss.

The vulnerabilities are present in the following Fujifilm computed radiography cassette readers:

  • CR-IR 357 FCR Capsula X
  • CR-IR 357 FCR Carbon X
  • CR-IR 357 FCR XC-2

The most serious vulnerability – CVE-2019-10950 – is due to improper access controls on telnet services. A remote attacker with a relatively low level of skill could exploit the vulnerability to gain access to the operating system and remotely execute code and affect the functionality of the device. The vulnerability has been assigned a CVSS v3 base score of 9.8 out of 10.

The second vulnerability – CVE-2019-10948 – is due to uncontrolled resource consumption. An overflow of TCP packets could be caused in a denial of service (DoS) attack. If exploited, a DoS attack could render the device in operable and would require a reboot to restore functionality. The vulnerability has been assigned a CVSS v3 base score of 7.5.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The vulnerabilities were identified by Marc Ruef and Rocco Gagliardi of Scip AG.

To prevent exploitation of the vulnerabilities, users can configure the CR-IR-357 system with ‘Secure Host functionality.’ This configuration instructs the CR-IR-357 system to ignore network traffic other than from the IP address of the image acquisition console.

This mitigation will only be an option for users that have one image acquisition console using the CR-IR-357 Reader Unit. With this configuration activated, multiple image acquisition consoles cannot share the Reader Unit as network traffic will only be accepted from a single IP address. If Reader Unit sharing has been implemented, Fujifilm should be contacted for further information on other possible mitigations.

Users should also ensure that appropriate administrative and technical controls are implemented to prevent unauthorized devices and users from connecting to the network. Fujifilm also recommends segmenting the network or using a VLAN to segregate public traffic from the private network.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist