PT-2025-24052 · B. Braun · B. Braun Onlinesuite
Fabian Weber
·
Published
2025-06-06
·
Updated
2025-06-09
·
CVE-2025-3321
CVSS v4.0
9.4
Critical
| Vector | AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
B.Braun OnlineSuite versions prior to AP 3.0
Description
A predefined administrative account is not documented and cannot be deactivated. This account cannot be misused from the network, only by local users on the server. The issue affects the management of infusion pumps in hospitals worldwide.
Recommendations
For B.Braun OnlineSuite versions prior to AP 3.0, apply the patch released by B.Braun to fix the issue. As a temporary workaround, consider restricting local access to the server to minimize the risk of exploitation.
Fix
LPE
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
B. Braun Onlinesuite