CVE-2014-5406

Published: Jul 6, 2015Modified: May 6, 2026

9.3

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability: 8.6 / Impact: 10.0

Source: NVD

Description

The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. NOTE: this issue might overlap CVE-2015-3459.

Affected (1)

Products: Hospira: Lifecare Pcainfusion Firmware

1 product

Lifecare Pcainfusion Firmware

Configuration A

1 vulnerable · 2 platform

Vulnerable Software	Affected Versions
Hospira Lifecare Pcainfusion Firmware	Up to 5.0

Running on/with	Platform Versions
Hospira Lifecare Pca3	All versions
Hospira Lifecare Pca5	All versions

Related CWEs

Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

References (7)

http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm

Source: ics-cert@hq.dhs.gov

Third Party AdvisoryUS Government Resource

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2015/icsa-15-125-01.json

Source: ics-cert@hq.dhs.gov

https://www.cisa.gov/news-events/ics-advisories/icsa-15-125-01

Source: ics-cert@hq.dhs.gov

https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/

Source: ics-cert@hq.dhs.gov

http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.