More than 3000 hospitals worldwide prone to PwnedPiper bug set

The PwnedPiper bug set is a serious little piece of kit. It is a collection of malware that is found on a great number of hospital networks and has been known to compromise the medical records of the patients using those networks. It is a malicious piece of code, which has been around for at least a decade, and it is not going anywhere any time soon.

Medical devices are often used in healthcare settings to monitor patients’ vital signs and transfer information from a patient’s body to a doctor or nurse.  However, even the most advanced equipment can be practically useless due to a glitch in its manufacturing process.  The PwnedPiper bug is a computer security flaw in these devices that, once triggered, allows attackers to take over control of the devices and  access patient data.  Although most hospitals have systems that patch attacks of this nature, some may still be vulnerable.

A five-year-old zero-day vulnerability in the popular hospital- and medical-records management system PwnedPiper, has been exploited by attackers to obtain medical records of up to 3,000 hospitals worldwide.

PwnedPiper is a group of vulnerabilities that affect hospitals all over the world who use SwiwssLog’s TransLogic Pneumatic Tube System. Armis, a connected device security startup, discovered the nine flaws during its investigation. 

This vulnerability affects about 2300 hospitals in North America and over 3000 units around the world. In a technical study, researchers Barak Hadad and Ben Seri explain the flaws in depth and show how a remote or local attacker could exploit them. The results will also be presented at the Black Hat Security conference this week. 

Armis notified SwissLog of the vulnerabilities on May 1 and has since collaborated with them to assist produce a patch for affected systems. The flaws were discovered in the firmware that powers the Nexus Control Panel, which controls all current Translogic PTS station variants. 

SwissLog has acknowledged the problem and claimed that the vulnerabilities affect the HMI-3 circuit board in internet-connected Nexus panels. The vulnerabilities can only be exploited under a combination of conditions, according to Jennie McQuade, Chief Privacy Officer for Swisslog Healthcare, in a warning published earlier this week.

In the news: An assailant taunts the Iranian government after his railway system is damaged by a one-of-a-kind wiper.

The following main flaws were discovered during Armis’ research.

  • Over Telnet, CVE-2021-37163 grants access to two hardcoded passwords for user and root accounts that are constantly active.
  • Privilege escalation vulnerability, CVE-2021-37167. Allows an attacker to use hardcoded credentials to run a custom script with root privileges. 
  • CVE-2021-37166: The Nexus Control Panel’s GUI process binding with a local service on all interfaces could trigger a DoS (Denial of Service) attack.
  • CVE-2021-37160: Allows unencrypted, unauthenticated firmware updates on the Nexus Control Panel, allowing a malicious firmware to take full control of the system. Possibly the most serious problem, and the only one that has yet to be resolved. 


| Source: Armis | A video showcasing possible attacks.

Aside from these flaws, four memory corruption problems were discovered. in the TransLogic stations’ control protocol, which could lead to remote code execution or, at the very least, a DoS attack. The following CVE codes have been issued to the bugs. 

  • CVE-2021-37161
  • CVE-2021-37162 
  • CVE-2021-37165 
  • CVE-2021-37164

A patch dubbed v7.2.5.7 has been released that addresses all vulnerabilities except CVE-2021-37160, which will be addressed in a future firmware upgrade. 

Armis has supplied the following ways to prevent potential attacks for hospitals that are unable to install the most recent firmware available. 

  • Any use of the Telnet port should be blocked (port 22). 
  • Create ACLs (Access Control Lists) that allow PTS components to communicate exclusively with the Translogic central server. 

Two Snort IDS rules have also been supplied by the business to identify exploitation attempts for multiple vulnerabilities. 

For CVE-2021-37161, CVE-2021-37162, and CVE-2021-37165 vulnerabilities:

alert udp any any -> any 12345 (msg:”PROTOCOL-OTHER Pwned piper exploitation attempt, Too small and malformed Translogic packet”; dsize:

CVE-2021-37164 (CVE-2021-37164):

alert udp any any -> any 12345 (msg:”PROTOCOL-OTHER Pwned piper exploitation attempt, Too large and malformed Translogic packet”;dsize:>350; content:”TLPU”; depth:4; reference:cve,2021-37164; reference:url,; sid:9800001;)

In the news: Motorola has announced three new Edge 20 phones.


When he’s not writing/editing/shooting/hosting all things tech, he streams himself racing virtual vehicles. Yadullah can be reached at [email protected], or you can follow him on Instagram or Twitter.

A recently discovered bug in an IT security patch by a Ukrainian hacker, PwnedPiper, can allow hackers to remotely seize control of a hospital computer network and effectively shut down the entire operation. The bug affects hospitals around the world, allowing malicious hackers to take control of the hospital network. The attack exists due to a huge security flaw in a certain patch that was deployed in order to secure hospitals from known malware that hit the computer networks.. Read more about cve-2020-27170 and let us know what you think.

This article broadly covered the following related topics:

  • cve 2020 17008 workaround
  • latest zero-day vulnerability 2021
  • zero-day vulnerability list
  • microsoft zero-day vulnerability list
  • latest zero-day vulnerability 2020
You May Also Like