CVE-2025-14095 identifies a privilege boundary violation vulnerability in Radiometer Medical Aps' ABL90 FLEX and ABL90 FLEX PLUS blood gas analyzers. These devices run application software on Windows operating systems including Windows XP, 7, 8, and 10. The vulnerability arises from improper access control implementation (CWE-284) in the device's application software, allowing a user with physical access to the analyzer to escape the restricted environment and access unauthorized functionalities. This could lead to unauthorized configuration changes, data manipulation, or disruption of device operation, impacting the confidentiality, integrity, and availability of critical medical data and device functions. Exploitation does not require authentication or user interaction but does require physical access to the device. The CVSS v3.1 base score is 6.8 for devices running Windows XP or 7, and 5.7 for Windows 8 or 10, reflecting a medium severity level. The vulnerability affects all application software versions running on Windows XP and 7, and versions below 3.5MR11 on Windows 10. Radiometer has informed affected customers and is coordinating permanent remediation, while recommending restricting physical access as a temporary workaround. No public exploits are currently known, but proof-of-concept exploits have been demonstrated by researchers. This vulnerability is critical in medical environments where device integrity and data confidentiality are paramount, especially given the reliance on these analyzers for patient diagnostics and treatment decisions.

For European healthcare organizations, this vulnerability poses significant risks. The ABL90 FLEX analyzers are used in clinical settings for blood gas analysis, critical for patient monitoring and treatment decisions. Unauthorized access could allow attackers to alter device settings or data, potentially leading to incorrect diagnostics or treatment errors. This compromises patient safety and could result in regulatory non-compliance under GDPR and medical device regulations. The requirement for physical access limits remote exploitation but insider threats or unauthorized personnel gaining access to medical devices remain a concern. Disruption or manipulation of analyzer functions could also impact hospital operational continuity. Given the use of older Windows OS versions in some healthcare environments, the risk is elevated in facilities that have not updated software or hardware. The medium CVSS score reflects moderate exploitability and impact, but the critical nature of the device's role in patient care amplifies the potential consequences. European healthcare providers must prioritize mitigation to prevent patient harm and maintain trust in medical device security.

Beyond restricting physical access to authorized personnel only, European healthcare organizations should: 1) Inventory all ABL90 FLEX and ABL90 FLEX PLUS analyzers and identify underlying OS versions to prioritize updates. 2) Coordinate with Radiometer representatives to obtain and apply permanent patches or software updates as soon as they become available, especially for devices running Windows XP, 7, and versions below 3.5MR11 on Windows 10. 3) Implement strict physical security controls around medical devices, including locked rooms and surveillance, to prevent unauthorized physical access. 4) Conduct regular audits and monitoring of device usage logs to detect anomalous activity indicative of unauthorized access attempts. 5) Train clinical and technical staff on the risks of physical access vulnerabilities and enforce policies restricting device handling. 6) Where feasible, upgrade underlying operating systems to supported versions with enhanced security features. 7) Collaborate with medical device vendors to ensure ongoing security assessments and timely vulnerability disclosures. 8) Integrate device security into broader hospital cybersecurity frameworks, including network segmentation and endpoint protection, to limit lateral movement if devices are compromised.