Description
Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors running software versions VG4.1.1, VG4.0.3, and lower contain network message handling vulnerabilities that allow network-adjacent attackers to spoof or tamper with data and cause denial-of-service conditions. Attackers with access to an enabled Infinity network port or physical proximity to a wireless access point can modify device settings such as alarm states or alarm limits, and overwhelm the system with incoming data causing the device to reboot and lose network functionality.
Published: 2026-06-02
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dräger Infinity systems that run software versions VG4.1.1, VG4.0.3, and earlier contain a network message handling flaw identified by CWE‑924. The flaw allows an attacker with proximity to an enabled Infinity network port or a nearby wireless access point to inject or alter control messages. By modifying these messages an attacker can tamper with device settings, such as alarm states or limits, and send excessive traffic that forces the monitor to reboot, thereby disrupting communication and effectively causing a denial‑of‑service condition.

Affected Systems

The vulnerability affects Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors. Affected firmware releases are VG4.1.1, VG4.0.3, and all earlier versions.

Risk and Exploitability

The CVSS score of 8.8 classifies this as high severity. Although no EPSS value is available and the issue is not listed in the CISA KEV catalog, the inherent need for network or wireless proximity suggests that local or sub‑network attackers could exploit it. The lack of authentication or input validation in the message handling path makes the vulnerability readily reproducible, heightening the overall risk for devices in shared or untrusted networks.

Generated by OpenCVE AI on June 2, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Infinity firmware to a version that fixes the message handling flaw if an update is available
  • Restrict network access by disabling unused Infinity ports and placing the monitors behind a dedicated, segmented virtual local area network
  • Implement monitoring of traffic to the Infinity devices to detect and block anomalous or excessive network messages
  • Configure firewall rules to block unsolicited or unexpected traffic from known or unknown sources
  • Verify that any remote management services are configured with strong authentication and limiting access to trusted administrative users

Generated by OpenCVE AI on June 2, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors running software versions VG4.1.1, VG4.0.3, and lower contain network message handling vulnerabilities that allow network-adjacent attackers to spoof or tamper with data and cause denial-of-service conditions. Attackers with access to an enabled Infinity network port or physical proximity to a wireless access point can modify device settings such as alarm states or alarm limits, and overwhelm the system with incoming data causing the device to reboot and lose network functionality.
Title Dräger Infinity M540 VG4.1.1 Spoofing and DoS via Network Message Handling
Weaknesses CWE-924
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-02T14:56:35.870Z

Reserved: 2026-06-02T13:54:01.021Z

Link: CVE-2019-25719

cve-icon Vulnrichment

Updated: 2026-06-02T14:56:27.160Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-02T14:16:25.627

Modified: 2026-06-02T14:40:32.283

Link: CVE-2019-25719

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T15:30:11Z

Weaknesses