Wednesday, June 19, 2024

PwnedPiper- 9 Severe Bugs in Critical Infrastructure Threats 80% of All Major Hospitals in U.S.

The TransLogic Pneumatic Tubing System (PTS) is used in thousands of hospitals all over the world, and these pipes connect various departments in comprehensive hospitals. 

According to the report, this TransLogic system is installed in more than 3,000 hospitals in the US. And all these pipes work effectively as it enables the movement of delicate medical materials that generally enables the nurses to implement patient carefreely.

However, the security company Armis pronounced that they have detected 9 vulnerabilities in the PTS control software-Nexus control panel. 

This problem, collectively known as PwnedPiper, and these vulnerabilities allow illegal threat actors to take over the TransLogic pneumatic tube system.

How PwnedPiper Could Be Used?

After investigating the vulnerabilities, the researchers affirmed that it could enable complicated and worrisome ransomware outbreaks, and not only this it also permit the threat actors, to leak delicate hospital data.

The threat actors are targeting the Translogic PTS system as it is one of the advanced systems that consolidate with other hospital systems, and it allows the data that is being shared between these systems to be leaked or manipulated by an attacker.

PwndPiper Vulnerabilities

The analysts have given a full list of the Pwndpiper vulnerabilities and here they are mentioned below:-

  • CVE-2021-37161 – Underflow in udpRXThread
  • CVE-2021-37162 – Overflow in sccProcessMsg
  • CVE-2021-37163 – Two hardcoded passwords accessible through the Telnet server
  • CVE-2021-37164 – Off-by-three stack overflow in tcpTxThread
  • CVE-2021-37165 – Overflow in hmiProcessMsg
  • CVE-2021-37166 – GUI socket Denial Of Service
  • CVE-2021-37167 – User script run by root can be used for PE
  • CVE-2021-37160 – Unauthenticated, unencrypted, unsigned firmware upgrade


As we said above that this attack is quite dangerous, and the PTS system connects comprehensive hospitals, that’s why it is quite necessary to patch these vulnerabilities. 

The security analyst of Armis has suggested some mitigation that is to be followed by the hospital accordingly, here they are mentioned below:-

  • They have recommended hospital bodies to initially, stop the use of Telnet (port 23) on the Translogic PTS stations (the Telnet service is not required in production).
  • Expand the access control lists (ACLs), in which Translogic PTS elements (stations, blowerd, diverters, etc.) were being allotted to interact with the Translogic central server (SCC).
  • Apart from this, the analyst has stated that they must use the following Snort IDS rule to recognize the exploitation efforts of CVE-2021-37161, CVE-2021-37162, and CVE-2021-37165:-
  • alert udp any any -> any 12345 (msg:”PROTOCOL-OTHER Pwned piper exploitation attempt, Too small and malformed Translogic packet”; dsize:<21; content:”TLPU”; depth:4; content:”|00 00 00 01|”; distance:4; within:4; reference:cve,2021-37161; reference:url,; sid:9800002; rev:1;)
  • Use the following Snort IDS rule to detect exploitation attempts of CVE-2021-37164:-
  • alert udp any any -> any 12345 (msg:”PROTOCOL-OTHER Pwned piper exploitation attempt, Too large and malformed Translogic packet”;dsize:>350; content:”TLPU”; depth:4; reference:cve,2021-37164; reference:url,; sid:9800001;)

Moreover, the researchers of Armies asserted that they will continue their investigation, and will try their best to find all the key details of the vulnerabilities. 

Since this attack is quite dangerous as it hampers all the delicate files and data of the hospital, therefore it is very important to follow the mitigation accordingly to bypass such vulnerability attacks in the future.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.


Latest articles

Amtrak Data Breach: Hackers Accessed User’s Email Address

Amtrak notified its customers regarding a significant security breach involving its Amtrak Guest Rewards...

Chrome Security Update – Patch for 6 Vulnerabilities

Google has announced a new update for the Chrome browser, rolling out version 126.0.6478.114/115...

Hackers Weaponize Windows Installer (MSI) Files to Deliver Malware

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by a threat actor group,...

Hackers Using VPNs To Exploit Restrictions & Steal Mobile Data

Hackers are offering "free" mobile data access on Telegram channels by exploiting loopholes in...

New PhaaS Platform Lets Attackers Bypass Two-Factor Authentication

Several phishing campaign kits have been used widely by threat actors in the past....

Stuxnet, The Malware That Propagates To Air-Gapped Networks

Stuxnet, a complex worm discovered in 2010, targeted Supervisory Control and Data Acquisition (SCADA)...

Threat Actors Claiming Breach of AMD Source Code on Hacking Forums

A threat actor named " IntelBroker " claims to have breached AMD in June...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles