CVE-2019-25721: Dräger Infinity M300 Denial-of-Service Vulnerability – Network-Induced Device Reboots
Dräger Infinity M300 wearable patient monitors running software version VG2.3.1 or earlier are vulnerable to network-based denial-of-service attacks. An attacker positioned on the same network can send specially crafted requests that force the device to reboot repeatedly, effectively taking the monitor offline and disrupting patient monitoring. This is a network-adjacent threat that requires no authentication or user interaction to trigger.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-400
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
Dräger Infinity M300 patient worn monitors with software version VG2.3.1 and earlier contain a network-based denial of service vulnerability that allows network-adjacent attackers to repeatedly trigger device reboots by sending malicious requests over the Infinity Network. Attackers can exploit this vulnerability to force the device into a fail state requiring manual restart, causing loss of wireless connectivity and interruption of patient monitoring functionality.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2019-25721 is a CWE-400 (Uncontrolled Resource Consumption) denial-of-service vulnerability in Dräger Infinity M300 wearable monitors. The flaw allows an unauthenticated, network-adjacent attacker to transmit malicious requests over the Infinity Network protocol, triggering uncontrolled device reboots. Affected devices lose wireless connectivity and cease patient monitoring operations until manual intervention restores them. The vulnerability affects VG2.3.1 and all earlier firmware versions. CVSS 3.1 score of 6.5 (Medium) reflects high availability impact but no confidentiality or integrity compromise.
Business impact
Patient monitoring discontinuity directly threatens clinical decision-making and patient safety. Repeated forced reboots create gaps in continuous vital-sign tracking, delay alarm notifications, and force clinical staff to manually reset devices, consuming resources and creating workflow disruption. In critical care, intensive care, and perioperative settings where the M300 is typically deployed, even brief monitoring lapses can complicate clinical oversight. Organizations may face regulatory scrutiny if monitoring gaps correlate with adverse patient events.
Affected systems
Dräger Infinity M300 wearable patient monitors running firmware version VG2.3.1 and earlier are affected. The vulnerability requires the device to be connected to an Infinity Network. Verify your deployed firmware version against Dräger's device management or clinical engineering inventory to identify affected units.
Exploitability
Exploitability is moderate. The attack requires network adjacency (attacker must share network access with the target device) but no authentication, credentials, or user interaction. Network-adjacent positioning is achievable in clinical environments where M300 devices operate on medical-device VLANs or shared wireless networks. An attacker with internal network access—whether rogue staff, compromised credentials, or lateral movement—can exploit this reliably and repeatedly.
Remediation
Upgrade all Dräger Infinity M300 monitors to firmware version later than VG2.3.1. Consult Dräger's security advisory for confirmed patch version numbers and upgrade procedures. Given the clinical setting, coordinate firmware updates during planned maintenance windows and validate device functionality post-upgrade. Implement network segmentation to restrict Infinity Network traffic to authorized clinical equipment and management consoles; restrict external network-adjacent access to medical device networks via VLAN isolation and firewall rules.
Patch guidance
Contact Dräger technical support or consult the vendor security advisory to confirm the exact patch version that addresses CVE-2019-25721 and verify compatibility with your deployed M300 hardware revisions. Plan upgrades during low-census or maintenance windows to minimize clinical impact. After patching, perform functional validation including wireless connectivity testing and alarm notification verification before returning devices to clinical use. Document patch version and deployment date for compliance and incident response records.
Detection guidance
Monitor network traffic for unusual request patterns directed at M300 devices on your Infinity Network, particularly rapid, repetitive connection attempts or malformed protocol messages. Correlate network flow data with device reboot events logged in Dräger device management systems or clinical engineering monitoring. Establish alerting for unexpected M300 reboots during patient monitoring sessions. Conduct network segmentation audit to verify M300 devices are isolated from untrusted network segments and that access control lists restrict unauthorized protocol interaction.
Why prioritize this
Although CVSS score is Medium (6.5), the clinical context elevates risk. Any interruption to continuous patient monitoring in critical care environments poses direct harm potential. The low barrier to exploitation (network adjacency, no auth) combined with high operational impact (loss of vital-sign data, alarm delays) and the presence of an unauthenticated attack vector justify prompt patching. However, lack of KEV designation and the requirement for network-adjacent positioning mean this does not warrant emergency-tier response; standard medical-device patch cycles apply.
Risk score, explained
CVSS 3.1 score of 6.5 (Medium) is driven by Attack Vector: Adjacent (AV:A), Access Complexity: Low (AC:L), Privilege Required: None (PR:N), User Interaction: None (UI:N), Availability Impact: High (A:H), with no confidentiality or integrity impact. The score accurately reflects that an unauthenticated attacker can reliably cause service degradation without privilege escalation or data breach, but only from network-adjacent position. In a clinical setting where M300 devices operate on segregated medical networks, the practical exploitability may be lower than the standalone CVSS suggests.
Frequently asked questions
Does this vulnerability compromise patient data or device authentication?
No. CVE-2019-25721 is a denial-of-service flaw that affects only device availability. It does not compromise stored patient data, communication encryption, or authentication mechanisms. The attacker can only force reboots; they cannot access or exfiltrate patient information.
Can this be exploited from the internet?
No. This is a network-adjacent vulnerability (AV:A in CVSS terms), meaning the attacker must be on the same local network segment as the M300 device. Internet-based attacks are not possible. However, any internal network attacker or compromised endpoint sharing the Infinity Network can exploit it.
Is there a workaround if we cannot patch immediately?
Yes. Implement strict network segmentation to isolate M300 devices to a dedicated, restricted VLAN with egress/ingress firewall rules that permit only authorized protocol traffic and management consoles. Limit access to clinical staff and exclude unmanaged endpoints. This reduces attack surface while you plan and execute firmware upgrades during maintenance windows.
How do I verify if my devices are running vulnerable firmware?
Check the firmware version on each M300 device via the device menu or management interface; compare against VG2.3.1. If your version is VG2.3.1 or earlier, the device is vulnerable. Consult Dräger's device inventory or clinical engineering records for fleet-wide visibility. After patching, verify new version is later than VG2.3.1 per your vendor advisory.
This analysis is provided for informational purposes to aid vulnerability assessment and remediation prioritization. SEC.co makes no warranty regarding the accuracy, completeness, or timeliness of this content. Verify all patch versions, compatibility, and deployment procedures against official Dräger security advisories and vendor documentation before implementing any remediation. Consult your medical device management and clinical engineering teams before any firmware updates in clinical environments. This vulnerability analysis does not constitute medical advice or clinical safety guidance. Organizations deploying affected devices should assess risk in context of their specific clinical workflows, network architecture, and regulatory obligations (FDA, HIPAA, etc.). For authoritative technical details, consult CVE-2019-25721 and the official Dräger security advisory. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2019-25724MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability Impact on Patient Monitoring
- CVE-2025-48648MEDIUMAndroid NotificationManagerService Resource Exhaustion DoS
- CVE-2026-0042MEDIUMAndroid UBSan Resource Exhaustion Denial of Service
- CVE-2026-0069MEDIUMAndroid Resource Exhaustion in APK Signature Verification
- CVE-2026-0074MEDIUMAndroid LauncherProcessImageListener Denial of Service Vulnerability
- CVE-2026-10156MEDIUMOpen5GS Resource Exhaustion Vulnerability in nf-instances Endpoint
- CVE-2026-10224MEDIUMNousResearch hermes-agent Webhook Resource Exhaustion Vulnerability
- CVE-2026-10291MEDIUMReDoS in Enderfga claw-orchestrator validateRegex—Security Update