CVE-2026-7251

Vulnerability

The Eppendorf BioFlo 320 bioreactor's VNC server uses a hard-coded password, which is not changeable by the user. This vulnerability affects all versions of the BioFlo 320 (vers:all/*) when remote access is enabled. The VNC traffic is transmitted without encryption, making it susceptible to interception. [2]

Exploitation

An attacker needs only the network address of a BioFlo 320 with remote access enabled. No authentication or user interaction is required. The attacker can connect to the VNC server using the hard-coded password, gaining immediate access to the full user interface. Because VNC traffic is unencrypted, an attacker on the same network could also capture credentials or session data. [2]

Impact

Successful exploitation grants the attacker full control over all control panel features of the bioreactor. This includes the ability to modify operational parameters, start or stop processes, and access any data displayed on the interface. The impact is a complete compromise of the device's integrity and availability, potentially leading to unsafe conditions in laboratory or production environments. [2]

Mitigation

No firmware update has been released by Eppendorf to address this vulnerability. CISA recommends minimizing network exposure by isolating the BioFlo 320 from the internet and placing it behind a firewall. When remote access is required, use a secure VPN and ensure the VPN is kept up to date. Additionally, monitor network traffic for unauthorized VNC connections. [2]