Assessment
CFSE Consequence Paths assesses B. Braun Infusomat/Perfusor Space (SpaceCom2 / Battery pack SP with Wi-Fi) - remote unauthenticated dose alteration at CRITICAL — the worst of 2 risk paths (safety, perception). The dominant consequence is influence over a safety-relevant actuation.
Vulnerability
B. Braun Infusomat/Perfusor Space (SpaceCom2 / Battery pack SP with Wi-Fi) - remote unauthenticated dose alteration.
CFSE Consequence Paths analysis
The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.
DEVICE_CONTROL_SAFETY → CRITICAL
CPATH:1.0-candidate/TT:DEVICE_CONTROL_SAFETY/RE:4/EC:2/EX:2/PH:4/DP:3/AT:3/CH:4/SR:3/SX:4/OR:3/EV:3/LS:PATCH_AVAILABLE
Exposure EX=2 (execution complexity-bound) · bands PH=CRITICAL · DP=HIGH · AT=HIGH → base CRITICAL · uplift fleet-reachable authority → assessed CRITICAL.
Remote unauthenticated network reachability on hospital LAN/Wi-Fi (AV:N/PR:N/UI:N) = RE:4. The keystone data-authenticity flaw is AC:L, but the demonstrated patient-harm outcome requires assembling the five-bug chain (config/drug-library write + SpaceCom escalation/command exec), reproduced on real hardware = advanced-but-reproducible EC:2. PH:4: silent drug-library/config modification in standby causes the next infusion to deliver an unexpected dose - direct credible patient injury pathway, and staff/pump perceive the dose as correct (perception_feeds_action). AT:3: chain gives unauthenticated write to pump configuration plus command execution/privilege escalation on the SpaceCom module (admin/service-level control of command/config), not a true signing-root/OTA-root, so not AT:4. DP:3: firmware/config/operational-state exposure feeds the attack. CH:4 and boundary_crossing: crosses network->device->configuration->physical/therapy domains, reusable cross-domain authority transfer. SR:3: shared same-model firmware/config weakness portable across the deployment, not a single shared signing key (SR:4). SX:4: network-based and unauthenticated allows targeting many same-model pumps facility-wide without per-device physical/proximity access. OR:3: vendor patches (battery-pack SP / SpaceCom2 firmware) plus network hardening needed across affected devices, but not a recall/signing-root rotation, so not OR:4. EV:3 reproduced by Trellix, no confirmed in-the-wild use = active_exploitation false. LS PATCH_AVAILABLE.
DATA_PRIVACY → CRITICAL
CPATH:1.0-candidate/TT:DATA_PRIVACY/RE:4/EC:3/EX:3/PH:4/DP:3/AT:2/CH:2/SR:2/SX:4/OR:3/EV:3/LS:PATCH_AVAILABLE
Exposure EX=3 (execution complexity-bound) · bands PH=CRITICAL · DP=HIGH · AT=HIGH → base CRITICAL · caps privacy-only cap → assessed CRITICAL.
Same remote unauthenticated network position = RE:4. Reading device configuration and operational data over the network is a standard researcher workflow once positioned = EC:3. C:H in the CVSS reflects exposure of device/config and operational state = DP:3 (firmware/proprietary/sensitive-operational-state class), not biometric/health-record sensitive nav/world-model (DP:4). No safety/physical effect on this pure-confidentiality path = PH:0; the exposed data is config/telemetry not used to drive a physical/safety decision, so perception_feeds_action false. AT:2: bounded read/component-level access to device state. CH:2 with boundary_crossing: crosses network->device app boundary and can feed the safety chain but on its own is a bounded read. SR:2: same-model config exposure, portable telemetry-level knowledge, not a shared key. SX:4: unauthenticated network read scales fleet-wide across same-model pumps. OR:3: same firmware/network-hardening remediation. EV:3 reproduced, no in-the-wild exploitation.
Published baseline
- v3.1 10 CRITICAL —
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N — MITRE via NVD
- v3.1 9.8 CRITICAL —
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — NVD
The published baseline above is retained for source review. Paths decomposes the consequence into authority, perception, safety, scale, and recoverability paths rather than using the baseline score as the primary registry frame.
Sources