CVE-2022-26388

Use of Hard-Coded Password Vulnerability in ELI Electrocardiograph Devices

Description

A use of hard-coded password vulnerability may allow authentication abuse.This issue affects ELI 380 Resting Electrocardiograph: Versions 2.6.0 and prior; ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph: Versions 2.3.1 and prior; ELI 250c/BUR 250c Resting Electrocardiograph: Versions 2.1.2 and prior; ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: Versions 2.2.0 and prior.

Remediation

Solution:

  • Hillrom has released software updates for all impacted devices to address these vulnerabilities. New product versions that mitigate these vulnerabilities are available as follows: * Welch Allyn ELI 380 Resting Electrocardiograph: available Q4 2023 * Welch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph: available May 2022 * Welch Allyn ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: available Q4 2023 Hillrom recommends users upgrade to the latest product versions. Information on how to update these products can be found on the Hillrom disclosure page https://hillrom.com/en/responsible-disclosures/ .

Workaround:

  • Hillrom recommends the following workarounds to help reduce risk: * Apply proper network and physical security controls. * Ensure a unique encryption key is configured for ELI Link and Cardiograph. * Where possible, use a firewall to prevent communication on Port 21 FTP service, Port 22 SSH (Secure Shell Connection), and Port 23 Telnet service.

Category

6.4
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.06%
Affected: Welch Allyn ELI 380 Resting Electrocardiograph
Affected: Welch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph
Affected: Welch Allyn ELI 250c/BUR 250c Resting Electrocardiograph
Affected: Welch Allyn ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph
Published at:
Updated at:

References

Link Tags
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-22-167-01
https://hillrom.com/en/responsible-disclosures/

Frequently Asked Questions

What is the severity of CVE-2022-26388?
CVE-2022-26388 has been scored as a medium severity vulnerability.
How to fix CVE-2022-26388?
To fix CVE-2022-26388: Hillrom has released software updates for all impacted devices to address these vulnerabilities. New product versions that mitigate these vulnerabilities are available as follows: * Welch Allyn ELI 380 Resting Electrocardiograph: available Q4 2023 * Welch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph: available May 2022 * Welch Allyn ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph: available Q4 2023 Hillrom recommends users upgrade to the latest product versions. Information on how to update these products can be found on the Hillrom disclosure page https://hillrom.com/en/responsible-disclosures/ .
Is CVE-2022-26388 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-26388 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-26388?
CVE-2022-26388 affects Welch Allyn ELI 380 Resting Electrocardiograph, Welch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph, Welch Allyn ELI 250c/BUR 250c Resting Electrocardiograph, Welch Allyn ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.