QwikSec

Security Database

CVE

CWE

Training

CVE-2014-5406

Published: Jul 6, 2015

Modified: Nov 3, 2025

PUBLISHED

Description

The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. NOTE: this issue might overlap CVE-2015-3459.

Vendor	Product	Versions
Hospira	LifeCare PCA Infusion System	affected `0 - <= 5.0` unaffected `7.0`

Weaknesses (CWE)

References

https://www.cisa.gov/news-events/ics-advisories/icsa-15-125-01

http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm

x_refsource_MISC

https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/

x_refsource_MISC

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2015/icsa-15-125-01.json

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.