Token Creation Vulnerability in Philips Products
CVE-2025-2229

8.5HIGH

Key Information:

Vendor: Philips
Status: Intellispace Cardiovascular (iscv)
Vendor: CVE Published:; 13 March 2025

Summary

The vulnerability arises from a method of token creation that utilizes the username, current date/time, and a static AES-128 encryption key that is uniformly applied to all installations. This predictable approach can lead to potential exposure of sensitive user data, as the simplicity of the encryption scheme allows for easier exploitation. Ensuring a more robust and variable encryption key could mitigate risks associated with unauthorized access and data breaches.

Affected Version(s)

Intellispace Cardiovascular (ISCV) 0 <= 4.1

References

https://www.cisa.gov/news-events/ics-medical-advisories/i...

https://www.philips.com/a-w/security/security-advisories....

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Mar 13, 2025
Vulnerability Reserved
Mar 11, 2025

Credit

Joe Dillon reported these vulnerabilities to Philips.