Assessment
CFSE Consequence Paths assesses Swisslog Translogic PTS unsigned firmware update at EMERGENCY — the worst of 2 risk paths (authority). The dominant consequence is loss of the device’s firmware trust root.
Vulnerability
Swisslog Translogic PTS unsigned firmware update. Reported attack vector: Network.
CFSE Consequence Paths analysis
The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.
FIRMWARE_TRUST_ROOT → EMERGENCY
CPATH:1.0-candidate/TT:FIRMWARE_TRUST_ROOT/RE:4/EC:4/EX:4/PH:3/DP:3/AT:4/CH:4/SR:4/SX:4/OR:4/EV:2/LS:PARTIALLY_MITIGATED
Exposure EX=4 (reachability and complexity-bound) · bands PH=CRITICAL · DP=CRITICAL · AT=EMERGENCY → base EMERGENCY · uplift fleet-reachable authority, recall-class recovery → assessed EMERGENCY.
Nexus Control Panel accepts unauthenticated/unsigned firmware over network (RE4 network-reachable, AV:N/PR:N). No signature check means once the protocol is known, the upload is a trivial network operation (EC4). Installing attacker firmware is a root-of-trust failure giving full persistent station control (AT4). Persistent malicious firmware on stations that move blood/meds/specimens reduces safety margins and enables unsafe actuation of physical transport (PH3). Firmware/proprietary device state is the data class (DP3, perception does not directly drive safety decisions so perception_feeds_action=false). Crosses network->device->firmware->physical boundaries and is a reusable persistence bridge (CH4, boundary_crossing). Same firmware path across all deployed stations (SR4). Recovery required a root-of-trust retrofit that could not ship in the main release, i.e. fleet-wide reprovision (OR4, recovery_needs_fleet_action=true). Report-backed, not reproduced (EV2). Not known exploited in the wild (active_exploitation=false).
FLEET_CONTROL_PLANE → EMERGENCY
CPATH:1.0-candidate/TT:FLEET_CONTROL_PLANE/RE:4/EC:4/EX:4/PH:3/DP:2/AT:3/CH:4/SR:4/SX:4/OR:4/EV:2/LS:PARTIALLY_MITIGATED
Exposure EX=4 (reachability and complexity-bound) · bands PH=CRITICAL · DP=HIGH · AT=CRITICAL → base CRITICAL · uplift fleet-reachable authority, recall-class recovery → assessed EMERGENCY.
The same unsigned-firmware weakness is network-reachable across every station of the PTS (RE4, SX4 fleet-scale remote without per-device physical access). Trivial single-protocol push (EC4). Because all stations share the identical firmware path and lack signature verification, an attacker can install firmware fleet-wide and exercise the deployment’s control plane / command authority over tube routing and station behavior (AT3 service/command authority across the network rather than a unique signing-root act here). The fleet-scale manipulation of station availability and tube routing is primarily an operational/availability disruption with no demonstrated severe individual harm at the control-plane layer (PH2). Logistics/operational state data (DP2). Cross-domain reusable authority transfer across the PTS network (CH4, boundary_crossing). Shared firmware/credential path (SR4). Remediation needs fleet-wide root-of-trust retrofit (OR4, recovery_needs_fleet_action=true). Report-backed evidence (EV2), partially mitigated, not exploited in wild.
Published baseline
- v3.1 9.8 CRITICAL —
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — NVD
The published baseline above is retained for source review. The registry records the reachable consequence path, including deployment-specific cyber-physical consequence, physical/safety impact, scale, and recovery burden.
Sources