CVE-2025-14095 is a security vulnerability classified under CWE-284 (Improper Access Control) and CWE-693 (Protection Mechanism Failure) affecting Radiometer Medical Aps ABL90 FLEX and ABL90 FLEX PLUS blood gas analyzers. These devices run application software on Windows operating systems, including Windows 7, Windows XP, and versions of Windows 10 prior to 3.5MR11. The vulnerability arises from a flawed design in the access control implementation within the application software, which creates a privilege boundary violation. Specifically, a user with physical access to the analyzer can circumvent restrictions intended to isolate sensitive functionalities, thereby gaining unauthorized access to operations outside the intended restricted environment. This can lead to unauthorized data access, manipulation of device settings, or disruption of device availability. The vulnerability requires physical presence at the device, does not require prior authentication or user interaction, and has a CVSS 3.1 base score of 6.8, reflecting medium severity with high confidentiality, integrity, and availability impacts. Although no public exploits are currently available, researchers have demonstrated proof-of-concept exploits. Radiometer has informed affected customers and plans to provide permanent remediation through local representatives. Temporary mitigation focuses on limiting physical access to authorized personnel only. This vulnerability is critical in medical environments where device integrity and data confidentiality are paramount, as exploitation could compromise patient data or disrupt clinical workflows.

For European organizations, particularly healthcare providers and clinical laboratories, this vulnerability poses significant risks. Unauthorized access to blood gas analyzers could lead to manipulation or theft of sensitive patient data, impacting confidentiality and violating GDPR regulations. Integrity of diagnostic results could be compromised, potentially leading to incorrect clinical decisions and patient harm. Availability of these critical medical devices could also be disrupted, affecting timely patient care. Given the requirement for physical access, insider threats or unauthorized personnel in healthcare facilities represent the primary risk vector. The impact is heightened in countries with extensive deployment of Radiometer analyzers in hospitals and clinics, where disruption or data breaches could have cascading effects on healthcare delivery and regulatory compliance. Additionally, the presence of legacy operating systems like Windows XP and Windows 7 in some medical devices increases the attack surface. The medium CVSS score reflects the balance between the high impact of exploitation and the physical access requirement, but the critical nature of healthcare environments elevates the operational risk.

1. Enforce strict physical security controls around all Radiometer ABL90 FLEX and ABL90 FLEX PLUS analyzers, limiting access to authorized and trained personnel only. 2. Implement surveillance and access logging in areas housing these devices to detect and deter unauthorized physical access attempts. 3. Coordinate with Radiometer local representatives to schedule and apply permanent software updates or patches as soon as they become available, prioritizing devices running vulnerable OS versions. 4. Conduct regular audits of device configurations and access control settings to ensure no unauthorized changes have been made. 5. Train healthcare staff on the importance of device security and the risks associated with physical access vulnerabilities. 6. Where possible, isolate analyzers on secure network segments to reduce risk from network-based attacks, complementing physical security. 7. Develop incident response plans specific to medical device compromise, including procedures for rapid containment and recovery. 8. Evaluate and plan for phased replacement of devices running outdated operating systems to reduce exposure to similar vulnerabilities. These steps go beyond generic advice by focusing on physical security, vendor coordination, and operational controls tailored to the healthcare environment.