CVE-2025-14096 identifies a critical security vulnerability in Radiometer Medical Aps’ ABL90 FLEX and ABL90 FLEX PLUS blood gas analyzers, which run on legacy Windows 7 and Windows XP operating systems. The vulnerability stems from the use of hard-coded credentials embedded within the device’s operating system, a design weakness classified under CWE-798 (Use of Hard-coded Credentials) and CWE-250 (Execution with Unnecessary Privileges). An attacker who gains physical access to the analyzer can extract these credentials, potentially allowing unauthorized access to the device’s system and sensitive medical data. The flaw compromises confidentiality by exposing credential information, integrity by enabling unauthorized system modifications, and availability by potentially disrupting device operations. The vulnerability requires no user interaction or prior authentication but does require physical access, limiting remote exploitation. Radiometer has informed affected customers and is working on permanent fixes, although no patches have been publicly released yet. Researchers have demonstrated a proof-of-concept exploit, but no known public exploits are currently active. The vulnerability is exacerbated by the use of outdated operating systems, which may lack modern security controls. This issue highlights the risks of embedded medical devices relying on legacy software and insufficient credential management.

For European organizations, particularly healthcare providers, this vulnerability poses significant risks. The ABL90 FLEX analyzers are used in clinical settings for critical blood gas analysis, and compromise could lead to unauthorized access to patient data, manipulation of diagnostic results, or denial of service. Such impacts could undermine patient safety, violate data protection regulations like GDPR, and disrupt clinical workflows. The requirement for physical access somewhat limits the threat to insiders or attackers with physical proximity, but healthcare environments often have multiple personnel with device access, increasing risk. Additionally, the use of legacy Windows operating systems means these devices may be more susceptible to other attacks if compromised. The reputational damage and regulatory consequences of a breach involving medical devices are severe. European healthcare institutions must prioritize securing physical access and coordinate with Radiometer for updates to prevent exploitation. Failure to address this vulnerability could lead to targeted attacks against critical healthcare infrastructure, especially in countries with advanced medical services and high Radiometer device adoption.

1. Enforce strict physical security controls around all ABL90 FLEX and ABL90 FLEX PLUS analyzers to ensure only authorized personnel can access the devices. 2. Implement access logging and monitoring in clinical areas to detect unauthorized physical access attempts. 3. Coordinate promptly with Radiometer representatives to obtain and apply permanent fixes or firmware updates once available. 4. Consider network segmentation to isolate analyzers from broader hospital networks, limiting lateral movement if a device is compromised. 5. Conduct regular security training for healthcare staff emphasizing the importance of physical device security. 6. Evaluate the feasibility of upgrading or replacing devices running unsupported operating systems with more secure alternatives. 7. Maintain an inventory of all affected devices and track remediation status. 8. Review and enhance endpoint security policies to include medical device protection. 9. Prepare incident response plans specific to medical device compromise scenarios. 10. Engage with regulatory bodies to ensure compliance with medical device security standards and reporting requirements.