August 7, 2022


Thinking Security ! Always

NUCLEUS:13 Bugs HealthCare Devices

A software library named as Nucleus maintained by Siemens and used in three billion operational technology and IoT devices that could allow for remote code execution, DoS, and information leak has 13 vulnerabilities that’s fixed now with newer version Nucleus Ready Start versions 3 (v2017.02.4 or later) and 4 (v4.1.1 or later).

Collectively called NUCLEUS:13, successful attacks abusing the flaws can “result in devices going offline and having their logic hijacked,” and “spreading malware to wherever they communicate on the network,”, with one proof-of-concept (PoC) successfully executed with a scenario that could potentially disrupt medical care and critical processes.


Primarily deployed in automotive, industrial, and medical applications, Nucleus is a closed-source real-time operating system (RTOS) used in safety-critical devices, such as anesthesia machines, patient monitors, ventilators, and other healthcare equipment.

The most severe of the issues is CVE-2021-31886 (CVSS score: 9.8), a stack-based buffer overflow vulnerability affecting the FTP server component, effectively enabling a malicious actor to write arbitrary code, hijack the execution flow, and achieve code execution, and in the process, take control of susceptible devices. Two other high-severity vulnerabilities (CVE-2021-31887 and CVE-2021-31888), both impacting FTP servers, could be weaponized to achieve DoS and remote code execution.

Real-world attacks leveraging the flaw could hypothetically impede the normal functioning of automated train systems by sending a malicious FTP packet, causing a Nucleus-powered controller to crash, in turn, preventing a train from stopping at a station and causing it to collide with another train on the track.


Fore Scout’s telemetry analysis has revealed closed to 5,500 devices from 16 vendors, with most of the vulnerable Nucleus devices found in the healthcare sector (2,233) followed by government (1,066), retail (348), financial (326), and manufacturing (317).

CISA urged users to take defensive measures to mitigate the risk of exploitation of these vulnerabilities, including minimizing network exposure for all control system devices, segmenting control system networks from business networks, and using VPNs for remote access.

%d bloggers like this: