CFSE Consequence Paths Registry · v1.0-candidate
Cyber-Physical Consequence Registry
A v1.0-candidate registry for cyber-physical vulnerabilities in medical devices, IoT, robotics, autonomous systems, and AR. The registry records what a flaw can make reachable in context: authority, perception, Physical/safety harm, systemic reach, and recovery burden. Separate consequence paths keep those harms from collapsing into one opaque number.
Status: v1.0-candidate. Entries are structured second opinions unless marked confirmed.
CFSE Consequence Paths is a consequence characterization layer, not an accuracy claim or standalone remediation
priority. Independent validation is open. Published external scores are retained as a
Published baseline where available, but the primary browsing surface is the Paths model.
The table foregrounds each entry's dominant consequence before the published baseline.
40 vulnerabilities assessed 10 emergency 23 critical 26 Physical/safety paths 17 authority paths 26 perception paths
| ID | Product | Domain | Dominant consequence | Band | Families | Published baseline |
|---|---|---|---|---|---|---|
| CPATH-2026-0001 | Qardio Arm blood-pressure monitor + iOS app Qardio | WEARABLE HEALTH | ACCOUNT_AUTHORITYauthority | CRITICAL | 6.6 MEDI | |
| CPATH-2026-0002 | Baxter Life2000 Ventilation System + Service PC Baxter (vendor self-disclosure) | MEDICAL IOT | OBSERVABILITY_RECOVERY_ONLYother | MONITOR | O | 10 CRIT |
| CPATH-2026-0003 | Contec CMS8000 patient monitor Contec (also sold under rebrands) | MEDICAL IOT | FIRMWARE_TRUST_ROOTauthority | CRITICAL | SP | 8.2 HIGH |
| CPATH-2026-0004 | Baxter Life2000 internal JTAG flash R/W Baxter | MEDICAL IOT | DEVICE_CONTROL_SAFETYsafety | CRITICAL | S | 9.3 CRIT |
| CPATH-2026-0005 | Baxter Life2000 hard-coded clinician credentials Baxter | MEDICAL IOT | ACCOUNT_AUTHORITYauthority | CRITICAL | S | 9.3 CRIT |
| CPATH-2026-0006 | Contec CMS8000 out-of-bounds write via UDP Contec | MEDICAL IOT | DEVICE_CONTROL_SAFETYsafety | EMERGENCY | S | 9.8 CRIT |
| CPATH-2026-0007 | Qardio BLE unauthenticated DoS (startMeasurement flood) Qardio | WEARABLE HEALTH | DEVICE_AVAILABILITYsafety | ELEVATED | S | 7.1 HIGH |
| CPATH-2026-0008 | Qardio firmware files extractable Qardio | WEARABLE HEALTH | DATA_PRIVACYperception | HIGH | P | 6.9 MEDI |
| CPATH-2026-0009 | Swisslog Translogic PTS unsigned firmware update Swisslog | GENERAL IOT | FIRMWARE_TRUST_ROOTauthority | EMERGENCY | 9.8 CRIT | |
| CPATH-2026-0010 | Swisslog Translogic TLP20 tcpTxThread stack overflow Swisslog | GENERAL IOT | DEVICE_CONTROL_SAFETYsafety | CRITICAL | S | 9.8 CRIT |
| CPATH-2026-0011 | SideQuest deep-link one-click RCE on Oculus Quest sideloading platform (CVE-2024-21625) Meta | SMART GLASSES AR | PERCEPTION_TO_ACTIONperception | CRITICAL | P | 8.8 HIGH |
| CPATH-2026-0012 | Inception Attack: malicious VR app hijacks the entire Meta Quest environment (UChicago, 2024) Meta | SMART GLASSES AR | PERCEPTION_TO_ACTIONperception | CRITICAL | P | none |
| CPATH-2026-0013 | Apple Vision Pro (visionOS · Persona avatar) Apple | SMART GLASSES AR | PERCEPTION_PRIVACYperception | CRITICAL | P | 5.3 MEDI |
| CPATH-2026-0014 | HoloLens Broadcom Wi-Fi over-the-air RCE/DoS (ADV190017: CVE-2019-9501/9503) Microsoft | SMART GLASSES AR | DEVICE_CONTROL_SAFETYsafety | CRITICAL | S | 8.8 HIGH |
| CPATH-2026-0015 | HoloLens Device Portal pairing-API unauthenticated DoS (CVE-2024-57972) Microsoft | SMART GLASSES AR | DEVICE_AVAILABILITYsafety | CRITICAL | S | 6.5 MEDI |
| CPATH-2026-0016 | Face-Mic: zero-permission motion-sensor speech and speaker-identity eavesdropping on AR/VR headsets (Rutgers/NJIT, 2021) Meta | SMART GLASSES AR | PERCEPTION_PRIVACYperception | CRITICAL | P | none |
| CPATH-2026-0017 | PX4 Autopilot MAVLink Unauthenticated Remote Shell (CVE-2026-1579) PX4 / Dronecode | DRONE AV | DEVICE_CONTROL_SAFETYsafety | EMERGENCY | SP | 9.8 CRIT |
| CPATH-2026-0018 | Tesla Model 3 VCSEC TPMS Integer Overflow RCE (CVE-2025-2082) Tesla | DRONE AV | PERCEPTION_TO_ACTIONperception | CRITICAL | PS | 7.5 HIGH |
| CPATH-2026-0019 | Tesla Model 3 Gateway Firmware Signature-Bypass / TOCTTOU Code Execution (CVE-2023-32156) Tesla | DRONE AV | DEVICE_CONTROL_SAFETYsafety | CRITICAL | S | 9 CRIT |
| CPATH-2026-0020 | DJI Mavic 3 Wi-Fi Weak Credentials / QuickTransfer Key Derivation (CVE-2023-6951) DJI | DRONE AV | PERCEPTION_PRIVACYperception | CRITICAL | P | 6.6 MEDI |
| CPATH-2026-0021 | Phantom of the ADAS: Projected/Billboard Phantom Object Attacks on Tesla Autopilot and Mobileye Tesla | DRONE AV | DEVICE_CONTROL_SAFETYsafety | CRITICAL | SP | none |
| CPATH-2026-0022 | GPS/GNSS Spoofing Safe-Hijacking of Consumer Drones (Adaptive GPS Spoofing / Tractor Beam class) GNSS (multi-vendor) | DRONE AV | PERCEPTION_TO_ACTIONperception | CRITICAL | PS | none |
| CPATH-2026-0023 | Unitree UniPwn — BLE Wi-Fi config root takeover (Go2/B2/G1/H1) Unitree | ROBOTICS HUMANOID | FLEET_CONTROL_PLANEauthority | EMERGENCY | P | 8.2 HIGH |
| CPATH-2026-0024 | Unitree Go2 unauthenticated DDS RCE via programming_actuator topic (CVE-2026-27509) Unitree | ROBOTICS HUMANOID | DEVICE_CONTROL_SAFETYsafety | CRITICAL | SP | 8.5 HIGH |
| CPATH-2026-0025 | Unitree Go2 Android-app database tampering RCE (CVE-2026-27510) Unitree | ROBOTICS HUMANOID | PERCEPTION_PRIVACYperception | CRITICAL | SP | 9.6 CRIT |
| CPATH-2026-0026 | Unitree Go1 CloudSail undocumented remote-access backdoor (CVE-2025-2894) Unitree | ROBOTICS HUMANOID | DEVICE_CONTROL_SAFETYsafety | EMERGENCY | SP | 6.6 MEDI |
| CPATH-2026-0027 | Universal Robots PolyScope 5 Dashboard Server OS command injection (CVE-2026-8153) Universal Robots | ROBOTICS HUMANOID | DEVICE_CONTROL_SAFETYsafety | EMERGENCY | S | 9.8 CRIT |
| CPATH-2026-0028 | Teleoperated surgical robot (Raven II) command hijacking & E-stop abuse University of Washington (Raven II) | ROBOTICS HUMANOID | PERCEPTION_TO_ACTIONperception | CRITICAL | PS | none |
| CPATH-2026-0029 | Hikvision IP camera / NVR unauthenticated command injection (CVE-2021-36260) Hikvision | GENERAL IOT | PERCEPTION_TO_ACTIONperception | EMERGENCY | P | 9.8 CRIT |
| CPATH-2026-0030 | Dahua IP camera / VTH / VTO authentication bypass (CVE-2021-33044) Dahua | GENERAL IOT | DEVICE_CONTROL_SAFETYsafety | EMERGENCY | SP | 9.8 CRIT |
| CPATH-2026-0031 | TP-Link Archer AX21 (AX1800) router unauthenticated command injection (CVE-2023-1389) TP-Link | GENERAL IOT | ACCOUNT_AUTHORITYauthority | EMERGENCY | P | 8.8 HIGH |
| CPATH-2026-0032 | Moxa PT/EDS industrial Ethernet switch authentication bypass (CVE-2024-12297) Moxa | GENERAL IOT | ACCOUNT_AUTHORITYauthority | HIGH | SP | 9.2 CRIT |
| CPATH-2026-0033 | Chirp Systems / Chirp Access smart-lock app hardcoded credentials (CVE-2024-2197) Chirp Systems | GENERAL IOT | ACCOUNT_AUTHORITYauthority | HIGH | S | 4.3 MEDI |
| CPATH-2026-0034 | August Smart Lock Pro + Connect Wi-Fi password disclosure via hardcoded key (CVE-2019-17098) August | GENERAL IOT | DATA_PRIVACYperception | HIGH | P | 6.5 MEDI |
| CPATH-2026-0035 | Medtronic Conexus RF telemetry protocol lacks authentication/encryption (implantable cardiac devices) Medtronic | MEDICAL IOT | DEVICE_CONTROL_SAFETYsafety | CRITICAL | SP | 9.3 CRIT |
| CPATH-2026-0036 | Medtronic MiniMed 508 / Paradigm insulin pumps - unauthenticated RF allows insulin delivery control Medtronic | MEDICAL IOT | DEVICE_CONTROL_SAFETYsafety | CRITICAL | SP | 8.8 HIGH |
| CPATH-2026-0037 | Medtronic MiniMed / NGP 600 series insulin pumps - RF pairing protocol allows bolus/delivery manipulation Medtronic | MEDICAL IOT | DEVICE_CONTROL_SAFETYsafety | CRITICAL | S | 4.8 MEDI |
| CPATH-2026-0038 | GE CARESCAPE / ApexPro patient monitoring (MDhex) - exposed shared SSH private key GE HealthCare | MEDICAL IOT | PERCEPTION_TO_ACTIONperception | EMERGENCY | PS | 10 CRIT |
| CPATH-2026-0039 | Baxter Sigma Spectrum WBM - cleartext Wi-Fi credentials and PHI Baxter | MEDICAL IOT | ACCOUNT_AUTHORITYauthority | HIGH | P | 4.2 MEDI |
| CPATH-2026-0040 | B. Braun Infusomat/Perfusor Space (SpaceCom2 / Battery pack SP with Wi-Fi) - remote unauthenticated dose alteration B. Braun | MEDICAL IOT | DEVICE_CONTROL_SAFETYsafety | CRITICAL | SP | 10 CRIT |