Patch Released to Correct Critical RCE Vulnerability in ZOLL Defibrillator Dashboard

The Cybersecurity and Infrastructure Security Agency (CISA) has released a security alert concerning 6 vulnerabilities identified in the ZOLL Defibrillator Dashboard, which include a remote code execution vulnerability with critical 9.9 severity.

An anonymous person reported to CISA these vulnerabilities that impact all ZOLL Defibrillator Dashboard versions earlier than version 2.2. A few of the vulnerabilities may be exploited remotely by an attacker even with a low level of skill.

Exploiting the vulnerabilities can enable non-admin end users to obtain remote code execution and engage in stealing credentials that would affect the integrity, confidentiality, and availability of the program.

ZOLL has affirmed that the 6 vulnerabilities were repaired in the ZOLL Defibrillator Dashboard version 2.2. Consumers were informed to perform an upgrade of the solution to version 2.2 or after without delay. ZOLL additionally mentioned that in case of any disparity with the Defibrillator Dashboard, consider the defibrillator device to be the source of accurate information.

These are the vulnerabilities:

1. CVE-2021-27489 with a CVSS Severity Score of 9.9 is an unrestricted file upload that could permit remote code execution when exploited
2. CVE-2021-27481 with a CVSS Severity Score of 7.1 is a hard-coded cryptographic key that could permit theft of sensitive data when exploited
3. CVE-2021-27487 with a CVSS Severity Score of 7.1 involves sensitive data stored in cleartext and could permit theft of sensitive data when exploited
4. CVE-2021-27485 with a CVSS Severity Score of 7.1 involves vulnerabilities in passwords saved in recoverable format and could permit theft of credentials when exploited
5. CVE-2021-27483 with a CVSS Severity Score of 5.3 is an improper privilege management vulnerability that could permit an attacker to get elevated privileges to administrator level
6. CVE-2021-27479 with a CVSS Severity score of 4.6 is an improper neutralization of input while generating a web page that allows the injection of malicious scripts that can be implemented by users with higher privileges

Thus far, there are no reported attempts of vulnerability exploitation in the wild.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA