Assessment
CFSE Consequence Paths assesses Swisslog Translogic TLP20 tcpTxThread stack overflow at CRITICAL — the worst of 2 risk paths (safety). The dominant consequence is influence over a safety-relevant actuation.
Vulnerability
Swisslog Translogic TLP20 tcpTxThread stack overflow. Reported attack vector: Network.
CFSE Consequence Paths analysis
The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.
DEVICE_CONTROL_SAFETY → CRITICAL
CPATH:1.0-candidate/TT:DEVICE_CONTROL_SAFETY/RE:4/EC:3/EX:3/PH:2/DP:3/AT:3/CH:4/SR:4/SX:4/OR:3/EV:2/LS:PATCH_AVAILABLE
Exposure EX=3 (execution complexity-bound) · bands PH=HIGH · DP=HIGH · AT=CRITICAL → base CRITICAL · uplift fleet-reachable authority → assessed CRITICAL.
Unauthenticated network packets to the TLP20 port = RE:4. Stack overflow with return-address control on a flat-memory RTOS with weak mitigations is a standard-to-advanced researcher workflow = EC:3. RCE in the station controller control plane yields full code exec controlling the pneumatic-tube logistics device = AT:3 (control/command authority over the device, but not a signing root or OTA root, so not 4). Physical/safety: this is hospital pneumatic-tube logistics (specimens/meds transport); takeover can mis-route or halt transport, but no credible direct injury or dangerous high-energy actuation is demonstrated, so PH:2. RCE exposes operational/firmware-relevant state = DP:3. Chains across network->device->control-plane and is noted to chain to firmware persistence, crossing boundaries = CH:4, boundary_crossing true. Same parser across stations = SR:4 (portable exploit). Network-reachable, no per-device physical access needed = SX:4. Recovery requires patching to 7.2.5.7 across stations but not a signing-root rotation/recall = OR:3, recovery_needs_fleet_action false. Report-backed = EV:2. Not known exploited in the wild.
DEVICE_AVAILABILITY → CRITICAL
CPATH:1.0-candidate/TT:DEVICE_AVAILABILITY/RE:4/EC:4/EX:4/PH:2/DP:1/AT:2/CH:2/SR:4/SX:4/OR:2/EV:2/LS:PATCH_AVAILABLE
Exposure EX=4 (reachability and complexity-bound) · bands PH=CRITICAL · DP=HIGH · AT=CRITICAL → base CRITICAL → assessed CRITICAL.
Pure DoS variant: same unauthenticated network reach to TLP20 port = RE:4. Crashing the controller via the overflow without needing reliable RCE is trivial/single-malformed-packet = EC:4. Loss of the station controller disrupts hospital logistics availability with no severe harm = PH:2. Availability loss bounds the consequence to the device/component = AT:2. Data/perception minimal (operational) = DP:1. Chains less than full RCE = CH:2, but still crosses network->device boundary = boundary_crossing true. Same parser everywhere = SR:4; remotely reachable across stations = SX:4. Recovery is service restart/patch, no fleet reprovision = OR:2. Report-backed = EV:2. Not exploited in the wild.
Published baseline
- v3.1 9.8 CRITICAL —
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — NVD
The published baseline above is retained for source review. Paths decomposes the consequence into authority, perception, safety, scale, and recoverability paths rather than using the baseline score as the primary registry frame.
Sources