The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an Industrial Control Systems (ICS) medical advisory warning of a critical flaw that affects Illumina medical devices.
The Universal Copy Service (UCS) software in several DNA sequencing instruments, including the iSeq 100, MiSeq, NextSeq 550, and NovaSeq 6000, is impacted by the issues. CVE-2023-1968, a severe bug with a CVSS score of 10.0, can enable remote attackers to eavesdrop on network traffic and execute arbitrary commands.
The second flaw (CVE-2023-1966, CVSS score: 7.4) relates to privilege misconfiguration that could allow a remote attacker to upload and execute code with elevated permissions. CISA warned that the exploitation of these vulnerabilities could lead to an attacker taking any action at the operating system level.
The FDA stated that an unauthorized user could weaponize the flaw to impact genomic data results leading to a potential data breach, no results, incorrect results, or altered results. Users should apply the fixes released on April 5, 2023, to mitigate potential threats. This is not the first time such vulnerabilities have been discovered in Illumina’s DNA Sequencing Devices.
In June 2022, the company disclosed multiple similar vulnerabilities that could have been abused to seize control of affected systems. The disclosure comes almost a month after the FDA issued new guidance that will require medical device makers to adhere to a set of cybersecurity requirements when submitting an application for a new product.