CVE-2021-4479: Dräger Atlan A350 Denial of Service via Medibus Interface
Dräger Atlan A350 patient monitoring devices running firmware versions 1.00 through 1.01 are vulnerable to a denial-of-service attack delivered through the Medibus network interface. An attacker can send malformed data packets that the device fails to validate properly, causing the internal processor to become overloaded. Over several hours, this degradation manifests as loss of data transmission capability, delays in displaying vital sign curves, and discrepancies between measured airway pressure and displayed values—conditions that could compromise clinical decision-making in critical care settings.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.0 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-1286
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
Dräger Atlan A350 versions 1.00 up to and including 1.01 contains an improper input handling vulnerability that allows attackers to cause a denial of service by sending specifically crafted non-Medibus-compliant data through the Medibus interface. Attackers can transmit malformed data to overload the internal processor, gradually disrupting device operation over several hours and causing loss of data transmission, delayed display of real-time curves, and deviation between displayed airway pressure values and screen curves.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2021-4479 is an improper input validation flaw in the Medibus interface implementation of affected Dräger Atlan A350 units. The vulnerability stems from insufficient sanitization of incoming network data (CWE-1286: Improper Validation of Specified Quantity in Input). Non-Medibus-compliant packets are not properly rejected or buffered; instead, they accumulate and consume processor resources. The attack is not instantaneous—it requires sustained transmission of crafted packets over hours to produce noticeable clinical impact. Network-based delivery via the Medibus protocol stack means the attacker needs network access to the device but not direct physical interaction or authentication credentials.
Business impact
In hospital environments where Atlan A350 devices monitor critical patients, degraded or delayed waveform display and data transmission loss directly threaten patient safety and clinical workflow. Clinicians rely on real-time airway pressure and vital sign curves for ventilation adjustments; display lag or data gaps introduce diagnostic uncertainty. Affected facilities may face increased alarm fatigue, need for manual verification of readings, and potential escalation of care incidents if device degradation goes undetected during high-acuity shifts. Device replacement or emergency firmware patching would disrupt monitoring continuity.
Affected systems
Dräger Atlan A350 patient monitors running firmware versions 1.00 and 1.01 are confirmed vulnerable. The vendor has not provided specific product revision numbers or related product lines confirmed as affected. Organizations should consult the official Dräger security advisory to determine whether other versions, regional variants, or connected integrated systems are in scope.
Exploitability
Exploitation requires network access to the Medibus interface—typically available only from systems already on the hospital network (e.g., central monitoring stations, gateways, or compromised clinical workstations). The attack vector is Network, but Attack Complexity is High, suggesting the attacker must satisfy specific protocol conditions or timing to trigger sustained degradation. The CVSS score of 4.0 (Medium) reflects that while the availability impact is real, the narrow scope (Scope Changed but only Availability affected), high barrier to access, and lack of authentication bypass mean opportunistic exploitation is unlikely. No public exploit code or active exploitation has been reported.
Remediation
Dräger has issued firmware updates addressing improper input handling in the Medibus interface. Organizations must verify the availability of patched firmware versions from Dräger and coordinate updates with their biomedical engineering and clinical teams to minimize monitoring downtime. Interim mitigations include network segmentation to restrict access to the Medibus interface and monitoring for unusual traffic patterns indicative of an exploitation attempt.
Patch guidance
Contact Dräger support to obtain and deploy the latest firmware for Atlan A350 units. Verify the new firmware version against Dräger's official advisory to confirm it addresses CVE-2021-4479. Schedule updates during low-acuity periods or with backup monitoring in place to maintain patient safety. Test patched devices in a non-clinical environment if possible before production deployment. Document the patching timeline and affected device serial numbers for compliance and audit purposes.
Detection guidance
Monitor Medibus network traffic for abnormally formatted or non-compliant packets targeting Atlan A350 devices, or look for repeated connection attempts from unexpected sources. Clinical engineering teams should watch for early-warning signs of degradation: occasional display lag or missed data points that gradually worsen over hours. Log analysis of device network interfaces may reveal sustained packet floods or protocol violations. Establish baseline performance metrics for Atlan A350 displays and alert on deviations in curve update frequency or data transmission latency.
Why prioritize this
Although the CVSS score is moderate (4.0), the clinical context elevates prioritization. Patient monitoring devices are safety-critical; any degradation in real-time data availability or display accuracy can influence clinical decisions. The attack is feasible only from the hospital network, reducing external threat likelihood, but insider or compromised-system scenarios are credible. Facilities with Atlan A350 units should prioritize patching over non-critical systems, but the availability impact and clinical dependency justify it above purely informational vulnerabilities.
Risk score, explained
CVSS 4.0 (Medium) reflects a network-accessible availability flaw with high attack complexity and limited scope (only the target device). No confidentiality or integrity exposure means the attacker cannot steal data or falsify readings—only degrade performance. The Scope Changed designation acknowledges that a single compromised Medibus network can potentially affect multiple connected devices or systems, but the primary impact remains denial of service to the targeted device. Organizations with robust network segmentation and monitoring may lower their operational risk significantly; those with flat clinical networks face higher practical exposure.
Frequently asked questions
Can an attacker see patient data or alter vital signs with this vulnerability?
No. This vulnerability enables denial of service (availability attack) only. It does not allow confidentiality breaches or integrity manipulation. An attacker cannot read patient records or falsify displayed values; they can only degrade the device's ability to receive, process, or display data over time.
Do we need to take the device offline immediately?
Not necessarily. The attack requires sustained, network-based crafted packet transmission over several hours to cause noticeable clinical degradation. If you have not detected abnormal traffic or performance decay, and your Medibus network is adequately segmented from untrusted systems, risk is lower in the short term. However, patching should be scheduled promptly and executed before the device is exposed to new network connections or architecture changes.
Is this vulnerability actively being exploited in the wild?
As of the last advisory update, there is no evidence of active exploitation or public proof-of-concept code. The vulnerability requires specific network access and knowledge of Medibus protocol internals, limiting appeal to opportunistic attackers. However, targeted campaigns against healthcare facilities by sophisticated threat actors remain a concern.
What if we cannot patch immediately?
Implement compensating controls: restrict Medibus interface access via network segmentation, disable remote monitoring features if not clinically necessary, and enhance monitoring for abnormal traffic. Ensure clinical staff are aware of potential display lag as a warning sign. Establish a concrete patching timeline with your biomedical and IT teams, and consider involving your healthcare risk management and patient safety committees to prioritize update scheduling.
This analysis is provided for informational purposes and does not constitute legal, medical, or professional safety advice. Organizations must verify all patch version numbers, compatibility, and deployment procedures against official Dräger security advisories and guidance. Patient safety decisions should involve clinical engineering, patient safety, and clinical leadership. SEC.co does not warrant the accuracy, completeness, or timeliness of any information herein and disclaims liability for decisions made based solely on this document. Always consult with your device vendor and qualified biomedical engineers before implementing mitigations or patches in production clinical environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2019-25720MEDIUMDräger SC Monitoring DoS – Network Reboot Attack
- CVE-2019-25723MEDIUMDräger Perseus A500 Medibus DoS Vulnerability – CVSS 4.0 Analysis & Mitigation
- CVE-2026-10099MEDIUMXX-Net V5.16.6 WebSocket Frame Parsing Data Corruption
- CVE-2025-8873HIGHArista EOS IPsec Denial of Service Vulnerability
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection