CVE-2019-25719
Network Message Handling Flaws in Dräger Infinity Acute Care System
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dräger | infinity_acute_care_system | * |
| dräger | standalone_infinity_m540 | to VG4.1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-924 | The product establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25719 affects Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors running software versions VG4.1.1, VG4.0.3, and lower.
The vulnerability involves improper enforcement of message integrity during transmission, which allows network-adjacent attackers to spoof or tamper with data and cause denial-of-service conditions.
Attackers with access to an enabled Infinity network port or physical proximity to a wireless access point can modify device settings such as alarm states or alarm limits, and overwhelm the system with incoming data, causing the device to reboot and lose network functionality.
How can this vulnerability impact me? :
This vulnerability can allow attackers to spoof or tamper with critical patient monitor data, potentially leading to incorrect alarm states or alarm limits.
Attackers can also cause denial-of-service conditions by overwhelming the device with data, causing it to reboot and lose network functionality.
Such impacts could disrupt patient monitoring, delay medical responses, and compromise patient safety.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, restrict access to enabled Infinity network ports and limit physical proximity to wireless access points connected to the affected devices.
Monitor network traffic to and from Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors to detect unusual or overwhelming incoming data that could cause denial-of-service conditions.
Consider isolating the affected devices on a secure network segment to prevent unauthorized network-adjacent attackers from tampering with device settings such as alarm states or alarm limits.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors allows attackers to spoof or tamper with data and cause denial-of-service conditions, including modifying alarm states or limits and causing device reboots.
Such unauthorized data tampering and denial of service could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require the protection of patient data integrity, availability, and confidentiality in healthcare environments.
However, the provided information does not explicitly discuss the direct impact of this vulnerability on compliance with these or other common standards and regulations.