Eppendorf BioFlo 320 VNC Server Hard-Coded Password Vulnerability Allowing Unauthorized Control

A vulnerability exists in the Eppendorf BioFlo 320 bioreactor due to the VNC server employing a hard-coded password. This issue allows remote attackers to gain full control of the user interface on models with remote access enabled, provided they know the network address of the device. The exploitation is facilitated by the fact that VNC traffic is unencrypted, leaving all control panel features accessible to the attacker.

Impact

Exploitation of this vulnerability could result in unauthorized users gaining complete access to the bioreactor's functionality and data.

Remediation

Eppendorf has released a software update that removes VNC access from the controller. Users should download and apply this update from the Eppendorf Software Downloads page. Additionally, users are advised to verify that VNC is disabled on the controller, enable security settings to restrict VNC configuration changes to Admin and Supervisor roles, and install Version 5.0 Software as soon as possible.