CVE-2020-27298

Philips Interventional Workstations OS Command Injection

Description

Philips Interventional Workspot (Release 1.3.2, 1.4.0, 1.4.1, 1.4.3, 1.4.5), Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live (Release 1.0), ViewForum (Release 6.3V1L10). The software constructs all or part of an OS command using externally influenced input from an upstream component but does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when sent to a downstream component.

Remediation

Solution:

  • Philips has released a software patch to proactively address this vulnerability in the installed base and will schedule service activities with impacted users to implement the correction. As a mitigation for this vulnerability, users with expertise are advised to change the IPMI password for the workstation interface. Users with questions regarding specific Philips Interventional Workspot and/or installations and correction eligibility should contact a Philips service support team, regional service support https://www.usa.philips.com/healthcare/solutions/customer-service-solutions , or call 1-800-722-9377 with reference to field change order (FCO) number 2019-IGTBST-014. Please see the Philips product security website https://www.philips.com/productsecurity for the Philips advisory and the latest security information for Philips products.

Category

6.5
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.19%
Third-Party Advisory cisa.gov
Affected: Philips Interventional Workspot
Affected: Philips Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live
Affected: Philips ViewForum
Published at:
Updated at:

References

Link Tags
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-21-019-01
https://www.philips.com/a-w/security/security-advisories/product-security-2021.html#2021_archive
https://us-cert.cisa.gov/ics/advisories/icsma-21-019-01 third party advisory us government resource

Frequently Asked Questions

What is the severity of CVE-2020-27298?
CVE-2020-27298 has been scored as a medium severity vulnerability.
How to fix CVE-2020-27298?
To fix CVE-2020-27298: Philips has released a software patch to proactively address this vulnerability in the installed base and will schedule service activities with impacted users to implement the correction. As a mitigation for this vulnerability, users with expertise are advised to change the IPMI password for the workstation interface. Users with questions regarding specific Philips Interventional Workspot and/or installations and correction eligibility should contact a Philips service support team, regional service support https://www.usa.philips.com/healthcare/solutions/customer-service-solutions , or call 1-800-722-9377 with reference to field change order (FCO) number 2019-IGTBST-014. Please see the Philips product security website https://www.philips.com/productsecurity for the Philips advisory and the latest security information for Philips products.
Is CVE-2020-27298 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2020-27298 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-27298?
CVE-2020-27298 affects Philips Interventional Workspot, Philips Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live, Philips ViewForum.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.