TL;DR
The Paths model rates all three paths CRITICAL because the device blindly loads unsigned firmware from a hard-coded routable IP. That trust-root failure forks into three distinct terminal harms: firmware control, safety/perception, and PHI egress. The published 7.7 / 8.2 baseline is retained for source review; the Paths drivers are multi-path consequence and hard recovery.
What it is
The CMS8000 mounts NFS from a hard-coded, routable IP and copies binaries to /opt/bin with no signature check, forcing the network interface up. It also beacons plaintext patient data (PHI) to that hard-coded address by default. Claroty Team82 reproduced the unsigned-code load and PHI egress, and — importantly — concluded this is insecure design, not a covert “backdoor.” (CISA ICSMA-25-030-01; Claroty Team82.)
Published baseline — scope note
Two bends, neither in the digit. (1) Label/narrative: CISA classed it CWE-912 “hidden functionality” and advised ripping devices off networks; the careful technical read (Team82) is “documented, insecure CMS default.” Same bytes, very different response — supplied by country-of-origin, not code (requirement #7). (2) Collapse: a single 7.7/8.2 cannot represent that one trust-root failure yields three terminal consequences at once, nor that there is no signed-update path to recover (the vendor shipped non-fixes).
Consequence driver
The Paths model highlights #2 (chain/multi-path) — one trust-root failure forks into three terminal harms a single number collapses; #8 (recoverability) — there is no signed-update path, so this is hard to fix in place; and #7 (narrative-invariance) — the “backdoor” framing moved the response, not the bytes.
Sources