Ependorf BioFlo 320 Controller VNC Unauthorized Access Vulnerability (CVSS 9.8) Remediation Guide

Vulnerability Overview Vulnerability ID: ICSMA-26-146-01 Release Date: May 26, 2026 Organization: BIO-ISAC Summary: This vulnerability was reported to CISA Category: csaf_security_advisory CSAF Version: 2.0 Distribution: Unlimited Label: WHITE Language: en-US Impact Scope Category: Other Text: Healthcare and Public Health Title: Critical Infrastructure Sector Category: Other Text: Global Title: Country/Region Deployment Category: Other Text: Germany Title: Company Headquarters Location Remediation Category: General Text: CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Title: Recommended Practices Category: General Text: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet. Title: Recommended Practices Category: General Text: Place control system networks and remote devices behind firewalls, and isolate them from business networks. Title: Recommended Practices Category: General Text: When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), and enable multi-factor authentication. Title: Recommended Practices Category: General Text: CISA recommends organizations perform proper impact analysis and risk assessment prior to deploying defensive cybersecurity measures. Title: Recommended Practices Category: General Text: CISA also provides a section for control system security recommended practices, which can be found on the ICS webpage on the CISA website. Title: Recommended Practices Category: General Text: CISA encourages organizations to implement recommended cybersecurity strategies to proactively defend their ICS networks. Title: Recommended Practices Category: General Text: Additional mitigation guidance and recommended practices are publicly available on the ICS webpage. Title: Recommended Practices Category: General Text: Organizations observing suspected malicious activity should follow established internal procedures and report to CISA. Title: Recommended Practices Category: General Text: CISA also recommends users take the following measures to protect themselves from social engineering attacks: Title: Recommended Practices Category: General Text: Do not click links in emails or open attachments from unsolicited emails. Title: Recommended Practices Category: General Text: For more information on avoiding email scams, see "Recognizing and Avoiding Email Scams." Title: Recommended Practices Category: General Text: For more information on social engineering attacks, see "Avoiding Social Engineering and Phishing Attacks." Title: Recommended Practices Category: General Text: Public exploits specifically targeting this vulnerability have been reported to CISA at this link. Title: Recommended Practices Remediation Measures Category: Mitigation Details: Ependorf has released a software update that permanently removes VNC access on the controller. Users should install this update. Product ID: CSAFPID-0001 URL: https://www.ependorf.com/software-downloads Category: Mitigation Details: All affected BioFlo 320 systems ship with Virtual Network Computing (VNC) disabled by default. Product ID: CSAFPID-0001 Category: Mitigation Details: Ependorf recommends users perform the following actions: Product ID: CSAFPID-0001 Category: Mitigation Details: Verify that VNC is disabled on the controller. Product ID: CSAFPID-0001 Category: Mitigation Details: Enable security settings so that only administrator and supervisor roles can change VNC settings. Product ID: CSAFPID-0001 Category: Mitigation Details: Install version 5.0 software as soon as possible. Product ID: CSAFPID-0001 Scoring CVSS V3: - Base Score: 9.8 - Severity: Critical - Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - Version: 3.1 Products Product ID: CSAFPID-0001 References Category: Self Summary: ICS Advisory ICSMA-26-146-01 JSON URL: https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/White/2026/icsma-26-146-01.json Category: Self Summary: ICS Advisory ICSMA-26-146-01 - Web Version URL: https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-146-01 Category: External Summary: Recommended Practices URL: https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01 Category: External Summary: Recommended Practices URL: https://www.cisa.gov/resources-tools/resources/ics-recommended-practices Category: External Summary: Recommended Practices URL: https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf Category: External Summary: Recommended Practices URL: https://www.cisa.gov/topics/industrial-control-systems Category: External Summary: www.first.org URL: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Category: External Summary: www.first.org URL: https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VA:N/SC:N/SI:N/SA:N Category: Exte

Goal Reached Thanks to every supporter — we hit 100%!

Ependorf BioFlo 320 Controller VNC Unauthorized Access Vulnerability (CVSS 9.8) Remediation Guide

More from this source