CVE-2022-26389
Published: 07 February 2025
Summary
CVE-2022-26389 is a high-severity Improper Access Control (CWE-284) vulnerability in Hillrom (inferred from references). Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2022-26389 is an improper access control vulnerability (CWE-284) that may allow privilege escalation. It affects multiple models of Hillrom/Nationwide/Nihon Kohden resting electrocardiograph devices, including the ELI 380 (versions 2.6.0 and prior), ELI 280/BUR280/MLBUR 280 (versions 2.3.1 and prior), ELI 250c/BUR 250c (versions 2.1.2 and prior), and ELI 150c/BUR 150c/MLBUR 150c (versions 2.2.0 and prior). The vulnerability has a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H).
An attacker with low privileges (PR:L) could potentially exploit this vulnerability over the network (AV:N) without user interaction (UI:N), though it requires high attack complexity (AC:H). Successful exploitation would change scope (S:C), enabling limited confidentiality and integrity impacts (C:L/I:L) alongside high availability impact (A:H), consistent with the privilege escalation nature of the flaw.
Mitigation details are available in advisories from Hillrom at https://hillrom.com/en/responsible-disclosures/ and CISA ICSMA-22-167-01 at https://www.cisa.gov/news-events/ics-medical-advisories/icsma-22-167-01.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-30948
Vulnerability details
An improper access control vulnerability may allow privilege escalation.This issue affects: * ELI 380 Resting Electrocardiograph: Versions 2.6.0 and prior; * ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph: Versions 2.3.1 and prior; * ELI 250c/BUR 250c Resting Electrocardiograph: Versions 2.1.2 and prior;…
more
* ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: Versions 2.2.0 and prior.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct improper access control flaw enabling local privilege escalation on network-accessible devices.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations for access to system resources, preventing the improper access control that enables privilege escalation in affected electrocardiograph devices.
Restricts privileges to the minimum necessary, limiting the impact and success of privilege escalation attempts by low-privileged attackers exploiting this vulnerability.
Identifies, prioritizes, and corrects the specific access control flaw through timely patching of vulnerable firmware versions in the ELI series electrocardiographs as advised by vendors.