CVE-2025-2229 - Vulnerability Details - OpenCVE

A token is created using the username, current date/time, and a fixed AES-128 encryption key, which is the same across all installations.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

No data.

No data.

No data.

References

Link	Providers
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-072-01
https://www.philips.com/a-w/security/security-advisories.html

History

Sun, 13 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00011}`	epss `{'score': 0.00014}`

Thu, 13 Mar 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 13 Mar 2025 18:30:00 +0000

Type	Values Removed	Values Added
Description		A token is created using the username, current date/time, and a fixed AES-128 encryption key, which is the same across all installations.
Title		Philips Intellispace Cardiovascular (ISCV) Use of Weak Credentials
Weaknesses		CWE-1391
References		https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-072-01 https://www.philips.com/a-w/security/security-advisories.html
Metrics		cvssV3_1 `{'score': 7.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}` cvssV4_0 `{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2025-03-13T18:17:31.256Z

Updated: 2025-03-17T20:04:56.100Z

Reserved: 2025-03-11T20:11:49.638Z

Link: CVE-2025-2229

Vulnrichment

Updated: 2025-03-13T19:30:35.846Z

NVD

Status : Received

Published: 2025-03-13T19:15:52.523

Modified: 2025-03-13T19:15:52.523

Link: CVE-2025-2229

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-2229", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2025-03-11T20:11:49.638Z", "datePublished": "2025-03-13T18:17:31.256Z", "dateUpdated": "2025-03-17T20:04:56.100Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Intellispace Cardiovascular (ISCV)", "vendor": "Philips", "versions": [{"lessThanOrEqual": "4.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Joe Dillon reported these vulnerabilities to Philips."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A token is created using the username, current date/time, and a fixed \nAES-128 encryption key, which is the same across all installations."}], "value": "A token is created using the username, current date/time, and a fixed \nAES-128 encryption key, which is the same across all installations."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 8.5, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1391", "description": "CWE-1391", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-03-17T20:04:56.100Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-072-01"}, {"url": "https://www.philips.com/a-w/security/security-advisories.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Philips recommends the following mitigations:</p>\n<ul>\n<li>\n\n<span style=\"background-color: rgb(255, 255, 255);\">Resolved in ISCV 4.2 build 20589, which was released in May 2019.</span>\n\n</li>\n\n<li>Philips recommends users upgrade ISCV installed base to the latest \nISCV version (at the time of this publication is 830089 \u2013 IntelliSpace \nCardiovacular 8.0.0.0)</li>\n<li>Please contact a local Philips sales (service) representative to learn how to engage this upgrade process.</li>\n<li>For managed services users, new releases will be made available upon\n resource availability. Releases are subject to country-specific \nregulations.</li>\n</ul>\n<p>Refer to the <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.philips.com/a-w/security/security-advisories.html\">Philips advisory</a>for more details.\n\n<br></p>"}], "value": "Philips recommends the following mitigations:\n\n\n\n * \n\nResolved in ISCV 4.2 build 20589, which was released in May 2019.\n\n\n\n\n * Philips recommends users upgrade ISCV installed base to the latest \nISCV version (at the time of this publication is 830089 \u2013 IntelliSpace \nCardiovacular 8.0.0.0)\n\n * Please contact a local Philips sales (service) representative to learn how to engage this upgrade process.\n\n * For managed services users, new releases will be made available upon\n resource availability. Releases are subject to country-specific \nregulations.\n\n\n\n\nRefer to the Philips advisory https://www.philips.com/a-w/security/security-advisories.html for more details."}], "source": {"advisory": "ICSMA-25-072-01", "discovery": "EXTERNAL"}, "title": "Philips Intellispace Cardiovascular (ISCV) Use of Weak Credentials", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-13T19:30:31.475698Z", "id": "CVE-2025-2229", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-13T19:30:42.059Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2229", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-13T19:30:31.475698Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-13T19:30:35.846Z"}}], "cna": {"title": "Philips Intellispace Cardiovascular (ISCV) Use of Weak Credentials", "source": {"advisory": "ICSMA-25-072-01", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Joe Dillon reported these vulnerabilities to Philips."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Philips", "product": "Intellispace Cardiovascular (ISCV)", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "4.1"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Philips recommends the following mitigations:\n\n\n\n * \n\nResolved in ISCV 4.2 build 20589, which was released in May 2019.\n\n\n\n\n * Philips recommends users upgrade ISCV installed base to the latest \nISCV version (at the time of this publication is 830089 \u2013 IntelliSpace \nCardiovacular 8.0.0.0)\n\n * Please contact a local Philips sales (service) representative to learn how to engage this upgrade process.\n\n * For managed services users, new releases will be made available upon\n resource availability. Releases are subject to country-specific \nregulations.\n\n\n\n\nRefer to the Philips advisory https://www.philips.com/a-w/security/security-advisories.html for more details.", "supportingMedia": [{"type": "text/html", "value": "<p>Philips recommends the following mitigations:</p>\n<ul>\n<li>\n\n<span style=\"background-color: rgb(255, 255, 255);\">Resolved in ISCV 4.2 build 20589, which was released in May 2019.</span>\n\n</li>\n\n<li>Philips recommends users upgrade ISCV installed base to the latest \nISCV version (at the time of this publication is 830089 \u2013 IntelliSpace \nCardiovacular 8.0.0.0)</li>\n<li>Please contact a local Philips sales (service) representative to learn how to engage this upgrade process.</li>\n<li>For managed services users, new releases will be made available upon\n resource availability. Releases are subject to country-specific \nregulations.</li>\n</ul>\n<p>Refer to the <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.philips.com/a-w/security/security-advisories.html\">Philips advisory</a>for more details.\n\n<br></p>", "base64": false}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-072-01"}, {"url": "https://www.philips.com/a-w/security/security-advisories.html"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A token is created using the username, current date/time, and a fixed \nAES-128 encryption key, which is the same across all installations.", "supportingMedia": [{"type": "text/html", "value": "A token is created using the username, current date/time, and a fixed \nAES-128 encryption key, which is the same across all installations.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1391", "description": "CWE-1391"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-03-17T20:04:56.100Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2229", "state": "PUBLISHED", "dateUpdated": "2025-03-17T20:04:56.100Z", "dateReserved": "2025-03-11T20:11:49.638Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2025-03-13T18:17:31.256Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A token is created using the username, current date/time, and a fixed \nAES-128 encryption key, which is the same across all installations."}], "id": "CVE-2025-2229", "lastModified": "2025-03-13T19:15:52.523", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.2, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2025-03-13T19:15:52.523", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-072-01"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.philips.com/a-w/security/security-advisories.html"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1391"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}