CVE-2019-5024
Description
A restricted environment escape vulnerability exists in the “kiosk mode” function of Capsule Technologies SmartLinx Neuron 2 medical information collection devices running versions 9.0.3 or lower. A specific series of keyboard inputs can escape the restricted environment, resulting in full administrator access to the underlying operating system. An attacker can connect to the device via USB port with a keyboard or other HID device to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Kiosk mode escape in Capsule SmartLinx Neuron 2 (≤9.0.3) allows physical attacker with USB keyboard to gain full OS admin access.
Vulnerability
The Capsule Technologies SmartLinx Neuron 2 medical information collection device, versions 9.0.3 or lower, implements a restricted "kiosk mode" intended to prevent users from accessing the underlying operating system. A protection mechanism failure (CWE-693) allows an attacker to bypass this restriction via a specific sequence of keyboard inputs.
Exploitation
An attacker must have physical access to the device and connect a USB keyboard or other HID device. The attacker then enters a series of keystrokes (e.g., ALT, DOWN arrow six times, ENTER, SHIFT five times, SHIFT-TAB, SPACE, SHIFT-TAB, SPACE, then "cmd.exe" and ENTER) to escape the kiosk environment and open a command prompt with administrator privileges. The Talos advisory provides a proof-of-concept using a USB Rubber Ducky for automated execution [1].
Impact
Successful exploitation grants the attacker full administrator access to the underlying Microsoft Windows operating system. This compromises the confidentiality, integrity, and availability of the device and the hospital network it is connected to, potentially allowing an attacker to take full control of a trusted medical device.
Mitigation
Capsule Technologies has not released a patch as of the advisory publication date (April 2019). The vulnerability affects versions 9.0.3 or lower; users should contact the vendor for updates or consider restricting physical access to the USB ports and implementing additional access controls. The vulnerability is not listed on the CISA KEV as of the knowledge cutoff.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=9.0.3
- Capsule Technologies/Capsule Technologies SmartLinx Neuron 2v5Range: 9.0.3 or lower
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The kiosk-mode application does not block or filter a specific sequence of keyboard inputs, allowing escape from the restricted shell to the underlying Windows operating system."
Attack vector
An attacker connects a USB keyboard or other HID device to the SmartLinx Neuron 2 via an available USB port [ref_id=1]. By entering a specific series of keystrokes — ALT, DOWN (6 times), ENTER, SHIFT (5 times), SHIFT-TAB, SPACE, SHIFT-TAB, SPACE, then typing "cmd.exe" and ENTER — the attacker escapes the kiosk-mode restricted environment [ref_id=1]. This sequence navigates through the locked-down interface to launch a command prompt with full administrator privileges on the underlying Windows OS [ref_id=1]. The attack requires physical USB access but no authentication or prior access [ref_id=1].
Affected code
The advisory does not specify particular source files or functions. The vulnerability exists in the kiosk-mode implementation of Capsule Technologies SmartLinx Neuron 2 devices running version 9.0.3 or lower [ref_id=1].
What the fix does
The vendor has issued a hotfix for versions 9.0.3 or lower, and devices running version 10.x are not affected [ref_id=1]. The advisory does not include a patch diff, but the mitigation guidance states that applying vendor software updates (versions after 9.0.3) closes the vulnerability [ref_id=1]. As a compensating control, the advisory recommends restricting physical access to USB ports, monitoring for unauthorized peripheral connections, and not implicitly trusting data from these devices [ref_id=1].
Preconditions
- networkPhysical USB access to the device
- inputAbility to connect a USB keyboard or other HID device
Reproduction
Connect a USB keyboard to the device. Enter the following keystrokes: ALT, DOWN (6 times), ENTER, SHIFT (5 times), SHIFT-TAB, SPACE, SHIFT-TAB, SPACE, "cmd.exe", ENTER. Steps 1-3 (ALT, DOWN 6, ENTER) may need to be performed twice [ref_id=1]. Alternatively, a USB Rubber Ducky programmed with the provided duck code will automatically execute the same sequence [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2019-0785mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.