CVE-2025-15653: Dräger Zeus Anesthesia Workstation USB Security Vulnerability
Dräger's Zeus Infinity Empowered and Zeus RS C500 anesthesia workstations have a security flaw that allows someone with physical access to a device to compromise its software through USB ports. An attacker could interfere with anesthesia delivery, alter medical data, or use the device as a stepping stone to attack a hospital network if the workstation is networked or connected to Dräger's service platform.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.8 MEDIUM · CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-668
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
Dräger Zeus Infinity Empowered (Zeus IE) and Zeus RS C500 anesthesia workstations contain a local security vulnerability that allows unauthorized individuals with physical access to compromise software integrity via USB interface manipulation. Attackers can exploit the unprotected USB interfaces to impair therapy functions, manipulate device-processed data, or leverage the device as a pivot point for broader network-based attacks when connected to a network or Dräger Service Connect.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2025-15653 describes insufficient protection of USB interfaces on Dräger anesthesia delivery systems. The vulnerability stems from inadequate access controls on USB ports, enabling direct manipulation of device firmware or software components. An attacker with physical proximity can exploit this to modify the device's behavior, corrupt therapy-related functions, or establish persistence. When the affected workstation connects to a hospital network or Dräger Service Connect infrastructure, the compromised device becomes a potential vector for lateral movement and broader infrastructure compromise. The vulnerability is classified as CWE-668 (Exposure of Resource to Wrong Sphere).
Business impact
In a healthcare delivery context, this vulnerability poses a direct patient safety risk. Compromised anesthesia workstations could deliver incorrect therapy parameters, fail to monitor patient vitals correctly, or become unavailable during critical procedures. Beyond immediate bedside impact, network-connected devices create supply-chain and operational continuity risks. Hospital IT teams face potential downstream network intrusions if a Zeus workstation is leveraged as an entry point. For biomedical engineering and OR management, this requires rethinking physical security protocols around expensive, networked medical devices and introduces complexity into device maintenance and decommissioning procedures.
Affected systems
The vulnerability affects Dräger Zeus Infinity Empowered (Zeus IE) and Zeus RS C500 anesthesia workstations. No specific product versions, firmware versions, or patch cutoff dates are listed in the vulnerability advisory, necessitating direct consultation with Dräger for detailed impact scope and remediation guidance.
Exploitability
Exploitation requires physical access to the device (CVSS vector AV:P), which is present in hospital operating rooms, recovery areas, and equipment storage. No special privileges, authentication, or user interaction are needed once physical access is obtained. While the attack vector is not remote, the risk is material in healthcare environments where equipment is accessible to staff, contractors, and—in cases of inadequate physical security—unauthorized individuals. The attack complexity is low, making it straightforward to execute.
Remediation
Dräger has released or will release patches to restrict or protect USB interface functionality. Organizations should immediately contact Dräger technical support to identify applicable patches and firmware updates for their specific Zeus IE and RS C500 models and software versions. In parallel, implement compensating controls: restrict physical access to workstations via locked equipment cabinets or restricted-access ORs, disable non-essential USB ports, establish detailed equipment access logs, and conduct staff security awareness training on the risks of unauthorized device manipulation.
Patch guidance
Verify the applicable patch and firmware updates directly with Dräger or through your organization's biomedical equipment vendor/service partner. Patch deployment should be coordinated with clinical operations to ensure minimal downtime and validated functionality post-update. Before applying patches in production, test them in a non-clinical environment that mirrors your deployment. Document the patch version, deployment date, and all affected serial numbers for audit and compliance purposes.
Detection guidance
Monitor for physical tampering indicators: unexpected USB device activity, firmware hash changes, or unauthorized configuration alterations. If your workstations are networked, baseline their network behavior and alert on anomalous outbound connections or lateral scanning. Implement access logs on any locked equipment enclosures where Zeus workstations are stored. Conduct periodic integrity checks on device firmware (compare against known-good baselines provided by Dräger). If you maintain device audit logs, review them for evidence of configuration changes or unauthorized access attempts. Consider implementing device certificates or cryptographic signatures to verify firmware authenticity.
Why prioritize this
Although the CVSS score of 6.8 is 'Medium,' this vulnerability merits high prioritization in healthcare settings because it directly threatens patient safety, affects critical life-support equipment, and exploits a physical vector that is difficult to eliminate in real-world hospital workflows. The risk is not mitigated by network segmentation alone and affects therapy delivery integrity—a core function of the device. Even low-probability physical access exploits carry disproportionate consequence in clinical contexts. Prioritize patching based on device location and frequency of use.
Risk score, explained
The CVSS 3.1 score of 6.8 (Medium) reflects the physical access requirement (AV:P), which reduces the attack surface compared to networked exploits. However, the impact metrics are high across confidentiality, integrity, and availability (C:H/I:H/A:H), indicating that a successful compromise fully impacts all three security properties. The score appropriately penalizes the physical access requirement but does not discount the severity of medical device compromise. In healthcare risk modeling, this score should be elevated contextually to account for patient harm potential and the difficulty of detecting post-exploitation device compromise.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. The CVSS vector specifies physical access (AV:P), meaning an attacker must have direct, hands-on contact with the USB ports. However, once a device is compromised, it can potentially be used to pivot into a hospital network if networked, expanding the attack surface downstream.
What versions of Zeus IE and RS C500 are affected?
Vendor-specific version information is not included in the published CVE record. Contact Dräger directly or work with your biomedical equipment vendor to determine which of your deployed models and firmware versions are vulnerable and for which patches are available.
If my workstations are air-gapped from the network, am I safe?
Air-gapping significantly reduces downstream network attack risk, but you remain vulnerable to local compromise if physical access controls are weak. Air-gapped devices can still have their therapy functions manipulated, and they may be connected to the network in the future during upgrades or service, creating a window of exposure.
What should I do if I suspect a workstation has been physically tampered with?
Isolate the device from the network immediately, do not use it for patient care, and document the incident. Contact Dräger technical support and your biomedical engineering team to inspect the device, verify firmware integrity, and review access logs. Report the incident to your hospital security and clinical risk management teams.
This analysis is provided for informational purposes and does not constitute medical device regulatory advice, clinical guidance, or a substitute for vendor advisories. All information is current as of the publication date. Patch availability, version numbers, and remediation steps must be verified against official Dräger security advisories and your organization's biomedical equipment vendor. Patient safety decisions and device usage should be coordinated with clinical engineering, patient safety, and medical staff leadership. SEC.co assumes no liability for device malfunction, patient harm, or operational disruption resulting from vulnerability or remediation actions. Consult your legal and compliance teams regarding reporting obligations under FDA medical device cybersecurity guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2018-25423MEDIUMBuffer Overflow Denial of Service in Arm Whois 3.11
- CVE-2018-25435MEDIUMZeusCart 4.0 CSRF Vulnerability – Account Deactivation Risk
- CVE-2019-25716MEDIUMDräger Patient Monitor Denial-of-Service Vulnerability