25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Vulnerabilities Identified in B. Braun OnlineSuite and SpaceCom

Posted By on Oct 23, 2020

Several vulnerabilities have recently been identified in B. Braun products used by healthcare organizations in the United States.

B.Braun OnlineSuite

Three vulnerabilities have been identified in B. Braun OnlineSuite, a clinical IT solution for creating and sending drug libraries and managing infusion devices and other medical equipment. If exploited, an attacker could escalate privileges, upload and download arbitrary files, and remotely execute code.

The most serious flaws are a relative path traversal vulnerability – CVE-2020-25172 – which allows uploads and downloads of files by unauthenticated individuals, and a remote code execution vulnerability – CVE-2020-25174 – which allows a local attacker to execute code as a high privileged user. The flaws have been assigned CVSS v3 base scores of 8.6 and 8.4 out of 10.

An Excel macro vulnerability – CVE-2020-25170 – has also been identified in the export feature, caused by the mishandling of multiple input fields, which has been assigned a CVSS v3 base score of 6.9.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The flaws are present in OnlineSuite AP 3.0 and earlier. B.Braun has addressed the flaws in the update, OnlineSuite Field Service Information AIS06/20, which users are advised to apply as soon as possible.

SpaceCom and Battery Pack SP with Wi-Fi

11 vulnerabilities have been identified in SpaceCom, which is used to connect external devices for data documentation in a Patient Data Management System, PC or USB memory stick, and Battery Pack with WiFi.

The flaws affect SpaceCom, software Versions U61 and earlier and Battery pack with Wi-Fi, software Versions U61 and earlier.

If exploited, an attacker could compromise the security of SpaceCom devices and escalate privileges, view sensitive information, upload arbitrary files, and remotely execute arbitrary code.

  • CVE-2020-25158 (CVSS 7.6) – Reflected cross-site scripting (XSS) vulnerability allowing injection of arbitrary web script or HTML into various locations.
  • CVE-2020-25150 (CVSS 7.6) -Relative path traversal attack vulnerability allowing an attacker with service user privileges to upload arbitrary files and execute arbitrary commands.
  • CVE-2020-25162 (CVSS 7.5) – Path injection vulnerability allowing unauthenticated individuals to access sensitive information and escalate privileges.
  • CVE-2020-25156 (CVSS 7.2) – Active debug code that enables attackers in possession of cryptographic material to access the device as root.
  • CVE-2020-25160 (CVSS 6.8) -Improper access controls that allow extraction and tampering with the device’s network configuration.
  • CVE-2020-25166 (CVSS 6.8) -Improper verification of the cryptographic signature of firmware updates, which allows an attacker to generate valid firmware updates with arbitrary content that can be used to tamper with devices.
  • CVE-2020-16238 (CVSS 6.7) – Improper privilege management that gives attackers command line access to the underlying Linux system, and privileges to be escalated to root user.
  • CVE-2020-25152 (CVSS 6.5) -Session fixation vulnerability allowing hijacking of web sessions and escalation of privileges.
  • CVE-2020-25154 (CVSS 5.4) – Open redirect vulnerability allowing redirection to malicious websites.
  • CVE-2020-25164 (CVSS 5.1) – Use of a one-way hash which allows the recovery of user credentials of the administrative interface.
  • CVE-2020-25168 (CVSS 3.3) – Use of hard-coded credentials that would allow command line access to access the device’s Wi-Fi module

Braun has released updates to correct the flaws. Users should update to SpaceCom: Version U62 or later and Battery Pack SP with Wi-Fi: Version U62 or later.

Braun also recommends devices should not be accessible directly from the internet and to use a firewall and isolate medical devices from the business network.

The vulnerabilities were identified by Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist