HIGH 7.5

CVE-2024-14036: Dräger Core Denial of Service via Malformed SDC Messages

Dräger Core 1.0.5 and Dräger M540 Converter Service 1.0.9 contain a denial of service flaw affecting hospital networks. An attacker on the same network can send specially crafted, unencrypted discovery messages that force the affected system to consume excessive CPU resources. Once the system is overloaded, it stops processing legitimate discovery messages, disrupting device communication. This requires network access but no authentication.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-400
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

Dräger Core 1.0.5 and Dräger M540 Converter Service 1.0.9 contain a denial of service vulnerability that allows network-adjacent attackers to trigger high CPU load by sending specially crafted, unencrypted SDC messages during the discovery process. Attackers with access to the hospital network can send malformed SDC packets to exhaust CPU resources in the affected process, causing further SDC messages to no longer be processed.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the Service Discovery Protocol (SDC) message processing logic during the device discovery phase. Attackers can exploit CWE-400 (Uncontrolled Resource Consumption) by transmitting malformed SDC packets that trigger inefficient CPU utilization in the affected Dräger processes. The unencrypted nature of discovery-phase communication means the attack surface includes any network-adjacent position. Once CPU exhaustion occurs, the service degrades and fails to process subsequent SDC messages, creating a sustained denial of service condition.

Business impact

Hospital operations depend on reliable device communication for patient monitoring and care coordination. This DoS vulnerability can degrade or disable critical device discovery and connectivity features, potentially affecting patient safety workflows. The impact is particularly acute in environments where Dräger Core and M540 Converter Service instances are actively managing medical device networks. Extended downtime forces manual workarounds and may trigger incident response overhead.

Affected systems

Dräger Core version 1.0.5 and Dräger M540 Converter Service version 1.0.9 are explicitly affected. Organizations running these specific versions on networked infrastructure—particularly in hospital settings—should assume exposure. Verify exact deployment versions in your environment; earlier or later versions may have different risk profiles pending vendor confirmation.

Exploitability

Exploitability is high: the attack requires only network access (AV:N), no authentication (PR:N), and is trivial to execute (AC:L). Any system accessible from the hospital network, including compromised medical devices or rogue VLAN access, can launch this attack. No user interaction is required. The barrier to exploitation is minimal, making this a practical risk for insider threats or lateral movement scenarios.

Remediation

Upgrade Dräger Core to a patched version beyond 1.0.5 and Dräger M540 Converter Service to a version beyond 1.0.9, as specified in the vendor advisory. Implement network segmentation to restrict SDC discovery traffic to trusted medical device networks. Deploy access controls to limit which systems can communicate with affected Dräger services. Verify patch deployment in test environments before production rollout to ensure no breaking changes to device communication workflows.

Patch guidance

Contact Dräger support or review the official security advisory for specific patched version numbers for your deployment model. Test patches in a non-production environment first to confirm compatibility with your existing medical device ecosystem. Once validated, apply patches to all instances of Dräger Core 1.0.5 and M540 Converter Service 1.0.9 in your inventory. Document patch status to support compliance and incident response readiness.

Detection guidance

Monitor affected Dräger processes for abnormal CPU utilization spikes coinciding with network traffic anomalies. Enable logging for SDC discovery messages and flag malformed packets or excessive discovery requests from unexpected sources. Network-level detection should focus on unusual SDC packet patterns or repeated connection attempts to discovery ports. Correlate CPU load anomalies on Dräger systems with network IDS/IPS alerts for unencrypted SDC traffic from suspicious origins.

Why prioritize this

This vulnerability earns HIGH severity due to the combination of easy exploitation (network access, no auth), direct impact on availability in a critical healthcare setting, and the unencrypted discovery mechanism that widens the attack surface. Although not yet listed as actively exploited (KEV status: false), the simplicity of the attack and the operational criticality of device discovery in hospitals justify immediate patching.

Risk score, explained

CVSS 3.1 score of 7.5 reflects a network-based attack (AV:N) with low complexity (AC:L), no privilege or interaction requirements (PR:N, UI:N), and high availability impact (A:H). The scope is unchanged (S:U), meaning the attack affects only the vulnerable component. The score does not account for contextual factors like the healthcare environment or regulatory compliance obligations, which may further elevate business risk in your organization.

Frequently asked questions

Do I need to replace hardware, or is this a software patch?

This is a software vulnerability in Dräger Core and the M540 Converter Service. Patching or upgrading the affected software should resolve it. No hardware replacement is required unless your infrastructure version constraints prevent software updates.

Can this vulnerability be exploited from outside the hospital network?

No. The vulnerability requires network-adjacent access (AV:N in CVSS terms means network access, but within the same network segment). External internet-based attacks are not possible. However, compromised devices, rogue access points, or insider threats on the hospital network can exploit it.

What is SDC and why is it unencrypted during discovery?

SDC (Service Discovery Protocol) is used by medical devices to locate and announce services on the network. Discovery typically operates on unencrypted channels by design to allow devices to bootstrap communication. This vulnerability exploits that inherent openness; patching hardens the discovery message processing logic rather than encrypting the protocol itself.

Will this DoS attack cause patient harm or data theft?

The vulnerability causes availability impact only (DoS); there is no confidentiality or integrity compromise, so patient data is not stolen or corrupted. However, disrupted device communication during a sustained attack could affect real-time monitoring workflows, which is why rapid remediation is important.

This analysis is provided for informational purposes to support vulnerability management and patch prioritization. Verify all version numbers, patch availability, and compatibility with your specific Dräger deployment by consulting the official Dräger security advisory and your vendor's documentation. SEC.co does not provide medical device regulatory compliance advice; coordinate patching with your biomedical engineering and compliance teams. No exploit code or weaponization details are included. Organizations should conduct their own risk assessment in the context of their operational environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).