Description
Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors versions VG4.1.1, VG4.0.3, and lower (with VG4.2 partially affected) contain a network message handling vulnerability that allows remote attackers to inject spoofed or tampered data and cause denial-of-service conditions. Attackers can compromise network communications to modify device settings such as alarm states or alarm limits, or overwhelm the system with excessive network traffic causing the Cockpit or M540 to reboot and lose network functionality.
Published: 2026-06-02
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors are vulnerable to a spoofed network message handling flaw that lets remote attackers inject forged or altered data. This can lead to denial‑of‑service by exhausting resources, force device reboots, and cause the Cockpit or M540 to lose network functionality. Additionally, attackers may modify critical settings such as alarm states or alarm limits, impacting patient safety and operational integrity.

Affected Systems

Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitor models running firmware versions VG4.1.1, VG4.0.3, and lower, with partial impact on VG4.2.

Risk and Exploitability

The vulnerability scores a CVSS of 8.8, indicating high severity. EPSS data is unavailable, so the exploitation probability is unknown, and it is not listed in the CISA KEV catalog. The attack vector is remote, relying on an attacker’s ability to send spoofed network packets to the device, which is feasible over any network segment that can reach the monitor.

Generated by OpenCVE AI on June 3, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Dräger firmware update that addresses the spoofed network message handling vulnerability.
  • Configure network segmentation or firewall rules to limit which hosts can communicate with Infinity devices.
  • Configure audit and alerting to detect unexpected reboots, network loss, or alarm state changes caused by spoofed traffic.

Generated by OpenCVE AI on June 3, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Draeger
Draeger infinity Acute Care System
Draeger standalone Infinity M540 Patient Monitor
Vendors & Products Draeger
Draeger infinity Acute Care System
Draeger standalone Infinity M540 Patient Monitor

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors versions VG4.1.1, VG4.0.3, and lower (with VG4.2 partially affected) contain a network message handling vulnerability that allows remote attackers to inject spoofed or tampered data and cause denial-of-service conditions. Attackers can compromise network communications to modify device settings such as alarm states or alarm limits, or overwhelm the system with excessive network traffic causing the Cockpit or M540 to reboot and lose network functionality.
Title Dräger Infinity M540 VG4.1.1 Spoofed Network Message Handling DoS/Tampering
Weaknesses CWE-345
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Draeger Infinity Acute Care System Standalone Infinity M540 Patient Monitor
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-03T12:45:51.502Z

Reserved: 2026-06-02T21:02:24.899Z

Link: CVE-2022-4992

cve-icon Vulnrichment

Updated: 2026-06-03T12:45:47.845Z

cve-icon NVD

Status : Received

Published: 2026-06-02T22:16:15.660

Modified: 2026-06-02T22:16:15.660

Link: CVE-2022-4992

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T10:54:42Z

Weaknesses