1 Executive Summary

• CVSS: 10.0 (v3.1) / 10.0 (v4.0)
• ATTENTION: Exploitable remotely/low and high skill level to exploit.
• Patient safety: Patient safety is not affected
• Vendor: B. Braun Melsungen AG
• Equipment: OnlineSuite
• Vulnerabilities: Improper Neutralization of Special Elements, Relative Path Traversal, Use of Hard-coded Credentials
  
   

2 Risk evaluation

Successful exploitation of these vulnerabilities may allow an attacker to escalate privileges, download and upload arbitrary files, and perform remote code execution.

Note that all listed vulnerabilities are in the server-side software that is separated from the infusion pumps. Safety of patients or users is not affected by these vulnerabilities. 

B. Braun has received no reports of exploitation or incidents associated with these vulnerabilities in an actual use environment.
 

3 Technical Details

3.1 Affected Products

The following versions of B. Braun products are affected:

• OnlineSuite AP 3.0 and earlier (including FSI-06-2020 patch)

Other solutions of B. Braun are not affected.

3.2 Vulnerability Overview

3.2.1 Improper Neutralization of Special Elements used in an Expression Language Statement (CWE-917)

An improper neutralization of inputs used in expression language allows remote code execution with the highest privileges on the server.

CVE-2025-3322 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been assigned
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). A CVSS v4.0 base score of 10.0 has been assigned (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
 

3.2.2 Relative Path Traversal (CWE-23)

A missing protection against path traversal allows to access any file on the server.

CVE-2025-3365 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been assigned
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). A CVSS v4.0 base score of 9.2 has been assigned (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 Use of Hard-coded Credentials (CWE-798)

A predefined administrative account is not documented and cannot be deactivated. This account cannot be misused from the network, only by local users on the server.

CVE-2025-3321 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been assigned
(CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). A CVSS 4.0 base score of 9.4 has been assigned (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 Background

CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health

COUNTRIES/AREAS DEPLOYED: Worldwide

COMPANY HEADQUARTERS LOCATION: Germany

3.4 Researcher

Fabian Weber and Dr. Florian Hauser with CODE WHITE GmbH reported these vulnerabilities to B. Braun.

4 Mitigations

B. Braun recommends applying updates:

Field Service Information FSI 14-25 “OnlineSuite AP3.0 - Security Fix” provides a patch to these issues.
 

As a general security measure, B. Braun recommends protecting the network with appropriate mechanisms:

Ensure the medical devices are not accessible directly from the internet. Use a firewall and isolate the medical devices from the business network.

Restrict the user access to the server to the minimum required users. Operate the OnlineSuite on a separate server that does not provide other services/applications and has no access to other sensitive data.

5 Contact and further information

Please contact our global product security team at productsecurity@bbraun.com if you have any further questions, require detailed technical information, or have any other support issue concerning the security of our products and services.

If you are a B. Braun customer and need support in mitigating the abovementioned vulnerabilities, please contact your local B. Braun representative.