CVE-2026-46459
Received Received - Intake

Authentication Bypass in ICU Scandinavia Boomerang

Vulnerability report for CVE-2026-46459, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: CERT.PL

Description

ICU Scandinavia Boomerang is vulnerable to a missing authentication flaw in its device receiver endpoints. This allows an unauthenticated remote attacker to read full facility configurations and write unauthorized data to the sensor database. This issue has been fixed in version 2.4.18.029

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
icu_scandinavia boomerang to 2.4.18.029 (exc)
icu_scandinavia boomerang 2.4.18.029

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

ICU Scandinavia Boomerang has a missing authentication flaw in its device receiver endpoints. This allows unauthenticated remote attackers to read full facility configurations and write unauthorized data to the sensor database.

Impact Analysis

An attacker could access sensitive facility data or manipulate sensor database records, potentially leading to incorrect readings or unauthorized changes in system behavior.

Executive Summary

ICU Scandinavia Boomerang has a missing authentication flaw in its device receiver endpoints. This allows unauthenticated remote attackers to read full facility configurations and write unauthorized data to the sensor database.

Detection Guidance

Detecting this vulnerability requires checking for unauthenticated access to Boomerang device receiver endpoints. Verify if the system is running version 2.4.18.029 or later. Use network scanning tools to identify open ports and endpoints associated with Boomerang devices. Check logs for unusual read/write operations to the sensor database.

Mitigation Strategies

Immediately update Boomerang to version 2.4.18.029 or later to patch the missing authentication flaw. Restrict network access to Boomerang endpoints using firewalls or network segmentation. Monitor for unauthorized access attempts and review database changes for suspicious activity.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, potentially violating GDPR (data protection) or HIPAA (health information privacy) requirements if facility configurations contain regulated data.

Impact Analysis

An attacker could access sensitive facility data, alter sensor readings, or disrupt monitoring systems. This could lead to incorrect temperature logs, missed alarms, or compliance violations in regulated environments like laboratories or food storage.

Compliance Impact

The vulnerability could compromise data integrity and confidentiality, violating GDPR (data protection) and HIPAA (health data privacy). Unauthorized changes to sensor data may also breach GLP/GMP standards for traceability and documentation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46459. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart