Assessment
CFSE Consequence Paths assesses GE CARESCAPE / ApexPro patient monitoring (MDhex) - exposed shared SSH private key at EMERGENCY — the worst of 3 risk paths (perception, safety). The dominant consequence is manipulated perception that drives action.
Vulnerability
GE CARESCAPE / ApexPro patient monitoring (MDhex) - exposed shared SSH private key.
CFSE Consequence Paths analysis
The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.
PERCEPTION_TO_ACTION → EMERGENCY
CPATH:1.0-candidate/TT:PERCEPTION_TO_ACTION/RE:4/EC:4/EX:4/PH:4/DP:4/AT:3/CH:4/SR:4/SX:4/OR:4/EV:2/LS:PATCH_AVAILABLE
Exposure EX=4 (reachability and complexity-bound) · bands PH=EMERGENCY · DP=EMERGENCY · AT=CRITICAL → base EMERGENCY · uplift fleet-reachable authority, recall-class recovery → assessed EMERGENCY.
Shared hard-coded SSH key (SR:4) reachable network-wide unauthenticated (RE:4) with trivial connect (EC:4). Once in via SSH the attacker alters monitoring/diagnostic data and alarm thresholds, falsifying the perceived patient state that clinicians act on for life-critical decisions (DP:4 safety-sensor/monitoring state, perception_feeds_action=true, PH:4 credible injury via missed/false alerts). AT:3 = remote interactive software control of monitoring components, not a signing/OTA root. CH:4 cross-domain (network->device->clinical action). SX:4 fleet-scale because identical key reuses across the product line on reachable networks. OR:4 recovery needs firmware that rotates credentials plus fleet network isolation. EV:2 report-backed (CyberMDX/ICS-CERT), no in-the-wild use.
DEVICE_CONTROL_SAFETY → EMERGENCY
CPATH:1.0-candidate/TT:DEVICE_CONTROL_SAFETY/RE:4/EC:4/EX:4/PH:4/DP:3/AT:3/CH:4/SR:4/SX:4/OR:4/EV:2/LS:PATCH_AVAILABLE
Exposure EX=4 (reachability and complexity-bound) · bands PH=EMERGENCY · DP=CRITICAL · AT=CRITICAL → base EMERGENCY · uplift fleet-reachable authority, recall-class recovery → assessed EMERGENCY.
Same universal SSH key (SR:4, RE:4, EC:4) yields full software-level control: silence/disable alarms and render monitors unusable (A:H). Direct safety actuation on life-critical monitoring -> PH:4. AT:3 admin/service-level interactive control over device config/alarm settings (not a root-of-trust/signing key, so not AT:4). DP:3 sensitive operational/firmware-adjacent state touched. CH:4 boundary_crossing across network/device/safety. SX:4 fleet-scalable via shared key; OR:4 requires credential-rotating firmware plus segmentation across the fleet. EV:2 report-backed.
DATA_PRIVACY → CRITICAL
CPATH:1.0-candidate/TT:DATA_PRIVACY/RE:4/EC:4/EX:4/PH:4/DP:3/AT:2/CH:3/SR:4/SX:4/OR:4/EV:2/LS:PATCH_AVAILABLE
Exposure EX=4 (reachability and complexity-bound) · bands PH=EMERGENCY · DP=CRITICAL · AT=CRITICAL → base EMERGENCY · uplift recall-class recovery · caps privacy-only cap → assessed CRITICAL.
SSH access via the shared key (SR:4, RE:4, EC:4) exposes PHI (C:H) -> DP:3 health/PHI data. AT:2 bounded data read via the obtained session. PH:1 privacy harm only, no direct safety. CH:3 chains network access to data exfiltration across boundaries. SX:4 fleet-scale because the same key works against many devices/hospitals without per-device access. OR:4 full recovery requires key rotation via firmware plus isolation across the deployed fleet. EV:2 report-backed disclosure, no confirmed in-the-wild exploitation.
Published baseline
- v3.1 10 CRITICAL —
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H — NVD
The published baseline above is retained for source review. The registry records the reachable consequence path, including deployment-specific cyber-physical consequence, physical/safety impact, scale, and recovery burden.
Sources