No content results match your keyword.
Content
You have successfully logged out.
Not registered yet?
No content results match your keyword.
Content
No product results match your keyword.
Products
Friday, 6 June 2025
B. Braun ensures high security standards throughout the product life cycle by using globally accepted standards. We have established processes to monitor the latest vulnerabilities, threats, or risks and will proactively implement measures as required.
Successful exploitation of these vulnerabilities may allow an attacker to escalate privileges, download and upload arbitrary files, and perform remote code execution.
Note that all listed vulnerabilities are in the server-side software that is separated from the infusion pumps. Safety of patients or users is not affected by these vulnerabilities.
B. Braun has received no reports of exploitation or incidents associated with these vulnerabilities in an actual use environment.
The following versions of B. Braun products are affected:
Other solutions of B. Braun are not affected.
An improper neutralization of inputs used in expression language allows remote code execution with the highest privileges on the server.
CVE-2025-3322 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been assigned
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). A CVSS v4.0 base score of 10.0 has been assigned (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
A missing protection against path traversal allows to access any file on the server.
CVE-2025-3365 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been assigned
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). A CVSS v4.0 base score of 9.2 has been assigned (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
A predefined administrative account is not documented and cannot be deactivated. This account cannot be misused from the network, only by local users on the server.
CVE-2025-3321 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been assigned
(CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). A CVSS 4.0 base score of 9.4 has been assigned (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany
Fabian Weber and Dr. Florian Hauser with CODE WHITE GmbH reported these vulnerabilities to B. Braun.
B. Braun recommends applying updates:
Field Service Information FSI 14-25 “OnlineSuite AP3.0 - Security Fix” provides a patch to these issues.
As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:
Ensure the medical devices are not accessible directly from the internet. Use a firewall and isolate the medical devices from the business network.
Restrict the user access to the server to the minimum required users. Operate the OnlineSuite on a separate server that does not provide other services/applications and has no access to other sensitive data.
Please contact our global product security team at productsecurity@bbraun.com if you have any further questions, require detailed technical information, or have any other support issue concerning the security of our products and services.
If you are a B. Braun customer and need support in mitigating the abovementioned vulnerabilities, please contact your local B. Braun representative.
If you are a B. Braun customer in the U.S. and need support in mitigating the above-mentioned vulnerabilities, please contact B. Braun Technical Support by calling 800-627-PUMP or by emailing AISTechSupport@bbraunusa.com.
Your feedback matters! Participate in our customer survey to help us enhance our website, products and services. Thank you for your support!