Dräger Infinity Acute Care System and Standalone Infinity M540 Network Message Handling Vulnerability Allowing Spoofing and Denial-of-Service

A vulnerability exists in the Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors running software versions VG4.1.1, VG4.0.3, and earlier. This vulnerability allows network-adjacent attackers to spoof or tamper with data, leading to denial-of-service conditions. Attackers with access to an enabled Infinity network port or who are physically close to a wireless access point can exploit this vulnerability to modify device settings, such as alarm states or limits. Additionally, the vulnerability can be used to overwhelm the system with incoming data, causing the device to reboot and lose network functionality.

Impact

Exploitation of this vulnerability allows for data spoofing or tampering and causes denial-of-service conditions, where the device reboots and loses network functionality.