CVE-2019-25722: Hard-Coded Credentials and DoS in Dräger Patient Monitoring Devices
Dräger's patient monitoring devices contain hard-coded login credentials embedded in their source code and are vulnerable to denial-of-service attacks via malformed network packets. An attacker with physical access can use these credentials to gain unauthorized entry and reconfigure clinical settings. A remote attacker can crash the devices repeatedly, severing network connectivity and interrupting patient monitoring—a particularly serious concern in hospital environments where continuous surveillance is critical to patient care.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.6 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
- Weaknesses (CWE)
- CWE-798
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
Dräger SC Monitoring devices (SC 6002XL, SC 6802XL, SC 7000, SC 8000, SC 9000 XL) contain hard-coded plaintext credentials in source code and a denial-of-service vulnerability that allows local and remote attackers to compromise device integrity across all software versions. A local attacker with direct device access can use the hard-coded credentials to access service and clinical accounts and alter device configuration, while a remote attacker can send malformed network packets to cause repeated device reboots, ultimately resulting in loss of network connectivity and disruption of patient monitoring.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2019-25722 affects Dräger SC series monitoring devices (SC 6002XL, SC 6802XL, SC 7000, SC 8000, SC 9000 XL) across all software versions. The vulnerability has two components: (1) hard-coded plaintext credentials in source code allow local attackers to authenticate as service or clinical accounts and modify device configuration; (2) a denial-of-service condition is triggered by remotely sending malformed network packets, causing repeated reboots that result in loss of network connectivity. The CVSS 3.1 score of 7.6 (HIGH) reflects the combination of authentication bypass and high-impact availability loss, with the attack vector being adjacent network or local. CWE-798 (hard-coded credentials) is the primary weakness.
Business impact
In operational hospital settings, this vulnerability creates dual risks: unauthorized clinical staff can alter monitoring parameters without audit trails, potentially masking or misrepresenting patient vital signs; simultaneously, remote attackers can disable devices entirely by forcing repeated reboots, creating gaps in patient supervision and triggering alarm fatigue. The disruption to network connectivity means that central monitoring stations lose real-time telemetry, complicating clinical decision-making during critical moments. Remediation delays expose institutions to both regulatory scrutiny (FDA, hospital accreditation bodies) and liability if patient harm occurs during an outage or due to unauthorized configuration changes.
Affected systems
All software versions of the following Dräger SC series are affected: SC 6002XL, SC 6802XL, SC 7000, SC 8000, and SC 9000 XL. No vendor advisory specifying fixed software versions has been provided in the source data; verify remediation status directly with Dräger and cross-reference any available patches or firmware updates against the affected device serial numbers and current installed versions in your inventory.
Exploitability
Local exploitation is straightforward: an attacker with physical device access can extract or guess hard-coded credentials from source code or firmware, then use them to log in and alter settings. Remote exploitation also requires minimal complexity—sending malformed network packets to trigger a denial-of-service condition does not require authentication or user interaction. The attack surface is notable because patient monitoring devices are typically on trusted hospital networks, so internal threat actors (disgruntled staff, compromised accounts) and network-adjacent attackers pose realistic risks. Public exploit code availability is not confirmed; however, the simplicity of both attack vectors (credential reuse and malformed packet injection) suggests that weaponization is feasible.
Remediation
Contact Dräger immediately to obtain patched firmware or software updates for your affected device models. If patches are unavailable or delayed, implement compensating controls: (1) physically restrict device access to authorized clinical and biomedical staff; (2) isolate monitoring devices on a segmented VLAN with strict network access controls (whitelist only legitimate monitoring station and integration endpoints); (3) monitor device logs for unexpected login attempts or configuration changes; (4) consider temporary redundancy (backup monitoring equipment or secondary telemetry) for the most critical patient care areas. Test any firmware update in a non-production environment before deployment.
Patch guidance
Verify the current firmware or software version installed on each affected device (SC 6002XL, SC 6802XL, SC 7000, SC 8000, SC 9000 XL) through the device interface or administrative console. Consult Dräger's support portal and security advisories for the availability of patched versions. When patches are available, follow Dräger's documented update procedures, which typically require device downtime; coordinate with clinical staff and scheduling to minimize patient monitoring interruptions. Document the pre- and post-patch versions for compliance and audit purposes. If patches are not yet available, escalate to Dräger support to confirm timeline and request interim guidance (e.g., firmware backports or extended support).
Detection guidance
Monitor device logs for failed and successful login attempts, especially to service and clinical accounts, and flag any unexpected or out-of-hours access. Track configuration changes via the device's audit trail (if available), and alert on any modifications to monitoring parameters, alarm thresholds, or network settings. At the network level, capture and analyze traffic patterns to the monitoring devices; look for repeated reboot cycles (evidenced by device disconnect/reconnect events or resets in connection state) that could indicate a denial-of-service attack. Establish baseline traffic profiles and alert on anomalous packet types or volumes directed at these devices. Correlate reboots with any observed network anomalies or intrusion detection alerts.
Why prioritize this
Although not yet listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, the combination of unauthenticated remote denial-of-service and hard-coded credential authentication makes this vulnerability a high-priority target for adversaries in healthcare-focused campaigns. The directly exploitable nature and the critical role of these devices in patient care—any disruption poses immediate safety risks—warrant urgent remediation efforts. Organizations should treat this as a category-1 priority in medical device security roadmaps, behind only zero-day or actively exploited vulnerabilities.
Risk score, explained
The CVSS 3.1 score of 7.6 (HIGH) is driven by: (1) Attack Vector: Adjacent (AV:A)—the device is typically on a hospital network, making it accessible to internal or network-adjacent attackers without internet traversal; (2) Access Complexity: Low (AC:L)—hard-coded credentials and denial-of-service mechanics require no sophisticated tooling; (3) Privileges Required: None (PR:N)—no prior authentication or privileges needed for the DoS vector; (4) User Interaction: None (UI:N)—attacks succeed autonomously; (5) Confidentiality & Integrity: Low (C:L, I:L)—credentials allow unauthorized access and configuration changes but not full system takeover; (6) Availability: High (A:H)—denial-of-service causes complete loss of device functionality. The score reflects serious but not critical severity; remediation should not wait, but the risk is manageable with compensating controls.
Frequently asked questions
Can the hard-coded credentials be changed or disabled?
Not without a firmware update from Dräger. Hard-coded credentials are compiled into the device software; end-users cannot modify or remove them. Until a patch is available, the only mitigation is restricting physical and network access to the devices and monitoring for suspicious login activity. Coordinate with Dräger to determine if any interim updates or configuration changes are possible.
If a device reboots due to denial-of-service, will patient data be lost?
Reboots themselves typically do not erase stored patient data on modern monitoring devices, but the loss of network connectivity during repeated reboots means that real-time data streaming to central monitoring stations and electronic health records is interrupted. Any alerts or trend analysis relying on continuous data feed will be disrupted, creating gaps in clinical visibility. After recovery, historical data stored locally on the device should be retrievable.
What if we cannot apply patches immediately?
Implement network segmentation (VLAN isolation), strict access control lists (ACLs), and close monitoring of device logs and network traffic. Disable unnecessary network services on the device if Dräger's documentation permits. Maintain redundant monitoring capability (backup equipment or secondary telemetry channels) in high-risk patient care areas. Escalate to your clinical engineering and security teams to establish a firm patch timeline, and work with Dräger to understand the availability and testing requirements for patches.
Is this vulnerability being exploited in the wild?
The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) list as of the available data. However, the ease of exploitation and the high-value target (patient monitoring in healthcare settings) makes it an attractive vector for threat actors. Assume active interest from financially motivated and state-sponsored adversaries; do not rely solely on lack of current public exploit reports to justify delay in remediation.
This analysis is provided for informational purposes and should not be construed as medical advice or clinical guidance. Remediation decisions must involve clinical engineering, IT security, and patient safety teams. Consult Dräger's official security advisories and vendor documentation for definitive patch availability, compatibility, and deployment procedures. Testing of patches in non-production environments is essential before hospital-wide deployment. SEC.co makes no warranty regarding the completeness or accuracy of this summary; verify all facts against vendor advisories and your own vulnerability intelligence sources. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-36606HIGHMercusys AC12G V1 Hardcoded DES Encryption in Configuration Backups
- CVE-2026-21404MEDIUMNAVTOR NavBox Hard-Coded SOAP Credentials Allow Local File Modification
- CVE-2026-25600MEDIUMPDBM Hard-Coded Encryption Secret Vulnerability
- CVE-2026-36616MEDIUMMercusys AC12G Hardcoded WiFi Credentials Vulnerability
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface