HealthcareCISO

A high severity vulnerability has been identified in certain Hillrom Welch Allyn Cardio products that allows accounts to be accessed without a password.

The vulnerability is an authentication bypass issue that exists when the Hillrom cardiology products have been configured to use single sign-on (SSO). The vulnerability allows the manual entry of all active directory (AD) accounts provisioned within the application, and access will be granted without having to provide the associated password. That means a remote attacker could access the application under the provided AD account and gain all privileges associated with the account.

The vulnerability is tracked as CVE-2021-43935 and has been assigned a CVSS v3 base score of 8.1 out of 10.

According to Hillrom, the vulnerability affects the following Hillrom Welch Allyn cardiology products: