Critical CVSS 10.0 Flaws in B. Braun OnlineSuite Threaten Healthcare Infrastructure

B. Braun Melsungen AG has issued a high-priority security advisory warning of three severe vulnerabilities affecting its OnlineSuite AP 3.0 and earlier, including one rated a maximum CVSS score of 10.0. While patient safety remains unaffected, the flaws pose a serious risk to hospital IT infrastructure and medical data integrity.

“Successful exploitation of these vulnerabilities may allow an attacker to escalate privileges, download and upload arbitrary files, and perform remote code execution,” the advisory explains.

These vulnerabilities impact server-side software isolated from infusion pumps but still represent a major attack surface within healthcare networks.

1. CVE-2025-3322 (CVSS 10.0) – Remote Code Execution via Expression Injection:  Attackers can exploit input that’s improperly sanitized in an Expression Language statement to gain full control of the server. “An improper neutralization of inputs used in expression language allows remote code execution with the highest privileges on the server,” the advisory notes.
2. CVE-2025-3365 (CVSS 9.8) – Relative Path Traversal: This vulnerability allows attackers to read any file on the server due to missing path validation protections.
3. CVE-2025-3321 (CVSS 9.3) – Hardcoded Administrative Account: A non-removable, undocumented admin account exists on affected servers. While not remotely exploitable, any local user with server access can leverage it for privilege escalation.

The vulnerabilities affect OnlineSuite AP 3.0 and earlier, widely deployed across critical healthcare infrastructure around the world. Although infusion pumps and patient-facing devices are not directly impacted, the vulnerabilities reside in backend systems that manage configuration, data transfer, and user access. These systems support healthcare and public health sectors, a frequent target of sophisticated cyberattacks.

The flaws were responsibly disclosed by Fabian Weber and Dr. Florian Hauser of CODE WHITE GmbH, a well-respected security research firm.

B. Braun has released FSI 14-25 “OnlineSuite AP3.0 – Security Fix” to patch the issues. The company urges immediate implementation and offers the following security best practices:

• Do not expose OnlineSuite directly to the internet
• Use firewalls to isolate medical devices from business networks
• Restrict server access to essential personnel only
• Deploy OnlineSuite on a dedicated server with no additional services

Related Posts:

• HPE Aruba Networking Addresses Severe Vulnerabilities in Access Points
• B2B Business Email Compromise: A Sophisticated Scheme Exploiting Trusted Relationships
• Critical CVE-2025-20188 (CVSS 10) Flaw in Cisco IOS XE WLCs Allows Remote Root Access
• Ruckus Networks Issues Security Advisory for Critical RCE Vulnerability in Access Points