Description
Dräger Zeus Infinity Empowered (Zeus IE) and Zeus RS C500 anesthesia workstations contain a local security vulnerability that allows unauthorized individuals with physical access to compromise software integrity via USB interface manipulation. Attackers can exploit the unprotected USB interfaces to impair therapy functions, manipulate device-processed data, or leverage the device as a pivot point for broader network-based attacks when connected to a network or Dräger Service Connect.
Published: 2026-06-02
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dräger Zeus Infinity Empowered and Zeus RS C500 anesthesia workstations contain a local privilege escalation vulnerability that originates from unprotected USB interfaces; because the USB ports are exposed without authentication, an attacker who gains physical access can manipulate the device’s software integrity, disrupting therapy functions and altering data that the device processes, thereby threatening patient safety and potentially establishing a pivot for further network attacks if the workstation is connected to a network or Dräger Service Connect.

Affected Systems

The affected products are Dräger Zeus Infinity Empowered (Zeus IE) and Zeus RS C500 anesthesia workstations. Specific model and firmware versions are not disclosed in the advisory, but the vulnerability applies to all units of these two product lines that have the unprotected USB interface.

Risk and Exploitability

The advisory assigns a CVSS score of 7, indicating high severity. The EPSS score is not available, so an explicit estimate of exploitation probability cannot be given, but physical access is required, making the attack vector relatively constrained. The vulnerability is not listed in CISA’s KEV catalog, so no known exploits have been recorded yet. However, the potential impact on safety-critical medical functions makes it a significant risk if the workstation is not promptly patched or otherwise protected.

Generated by OpenCVE AI on June 3, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware or software update from Dräger that addresses USB interface authentication.
  • Physically block or disable all USB ports on the workstation when they are not required for medical device operation.
  • Configure the workstation to run in air‑gapped mode during patient care, ensuring it only connects to the network when medically necessary and under strict supervision.
  • Enable and monitor audit logs for USB activity to detect any unauthorized device connection attempts.

Generated by OpenCVE AI on June 3, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
References

Wed, 03 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
References

Wed, 03 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Draeger
Draeger zeus Ie
Draeger zeus Rs C500
Vendors & Products Draeger
Draeger zeus Ie
Draeger zeus Rs C500

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description Dräger Zeus Infinity Empowered (Zeus IE) and Zeus RS C500 anesthesia workstations contain a local security vulnerability that allows unauthorized individuals with physical access to compromise software integrity via USB interface manipulation. Attackers can exploit the unprotected USB interfaces to impair therapy functions, manipulate device-processed data, or leverage the device as a pivot point for broader network-based attacks when connected to a network or Dräger Service Connect.
Title Dräger Zeus IE Anesthesia Workstation USB Interface Privilege Escalation
Weaknesses CWE-668
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Draeger Zeus Ie Zeus Rs C500
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-03T20:01:38.486Z

Reserved: 2026-06-02T21:25:08.662Z

Link: CVE-2025-15653

cve-icon Vulnrichment

Updated: 2026-06-03T14:06:45.034Z

cve-icon NVD

Status : Received

Published: 2026-06-02T22:16:15.973

Modified: 2026-06-03T20:16:18.220

Link: CVE-2025-15653

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T10:54:39Z

Weaknesses