Cyber Resilience

CVE-2022-26389

High

Published: 07 February 2025

Published
07 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H
EPSS Score 0.0008 24.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26389 is a high-severity Improper Access Control (CWE-284) vulnerability in Hillrom (inferred from references). Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2022-26389 is an improper access control vulnerability (CWE-284) that may allow privilege escalation. It affects multiple models of Hillrom/Nationwide/Nihon Kohden resting electrocardiograph devices, including the ELI 380 (versions 2.6.0 and prior), ELI 280/BUR280/MLBUR 280 (versions 2.3.1 and prior), ELI 250c/BUR 250c (versions 2.1.2 and prior), and ELI 150c/BUR 150c/MLBUR 150c (versions 2.2.0 and prior). The vulnerability has a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H).

An attacker with low privileges (PR:L) could potentially exploit this vulnerability over the network (AV:N) without user interaction (UI:N), though it requires high attack complexity (AC:H). Successful exploitation would change scope (S:C), enabling limited confidentiality and integrity impacts (C:L/I:L) alongside high availability impact (A:H), consistent with the privilege escalation nature of the flaw.

Mitigation details are available in advisories from Hillrom at https://hillrom.com/en/responsible-disclosures/ and CISA ICSMA-22-167-01 at https://www.cisa.gov/news-events/ics-medical-advisories/icsma-22-167-01.

EU & UK References

Vulnerability details

An improper access control vulnerability may allow privilege escalation.This issue affects: * ELI 380 Resting Electrocardiograph: Versions 2.6.0 and prior; * ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph: Versions 2.3.1 and prior; * ELI 250c/BUR 250c Resting Electrocardiograph: Versions 2.1.2 and prior;…

more

* ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: Versions 2.2.0 and prior.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct improper access control flaw enabling local privilege escalation on network-accessible devices.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-48898Shared CWE-284
CVE-2026-25176Shared CWE-284
CVE-2026-48899Shared CWE-284
CVE-2026-37526Shared CWE-284
CVE-2024-56883Shared CWE-284
CVE-2026-42823Shared CWE-284
CVE-2026-0844Shared CWE-284
CVE-2026-41086Shared CWE-284
CVE-2026-35242Shared CWE-284
CVE-2026-33834Shared CWE-284

Affected Assets

Hillrom
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations for access to system resources, preventing the improper access control that enables privilege escalation in affected electrocardiograph devices.

prevent

Restricts privileges to the minimum necessary, limiting the impact and success of privilege escalation attempts by low-privileged attackers exploiting this vulnerability.

preventrecover

Identifies, prioritizes, and corrects the specific access control flaw through timely patching of vulnerable firmware versions in the ELI series electrocardiographs as advised by vendors.

References