CISA Warns of Critical Hard-Coded Password in Eppendorf BioFlo 320 Bioreactor
CISA has issued an advisory for CVE-2026-7251, a critical hard-coded password vulnerability in Eppendorf BioFlo 320 bioreactors that could allow unauthenticated remote attackers to take full control of the device.
CISA has published an advisory warning of a critical hard-coded password vulnerability, CVE-2026-7251, affecting all versions of the Eppendorf BioFlo 320 bioreactor. The vulnerability, which carries a CVSS score of 9.8, resides in the VNC server of the device. An unauthenticated remote attacker who knows the device's network address can exploit this flaw to gain full control of the user interface and all control panel features. VNC traffic is also unencrypted, making it susceptible to interception.
The BioFlo 320 is a bioreactor used in healthcare and public health sectors, deployed worldwide. The vulnerability stems from the use of a hard-coded password in the VNC server, a classic CWE-259 weakness. If exploited, an attacker could manipulate the bioreactor's operations, potentially compromising the integrity of biological processes and patient safety.
Eppendorf has released a software update that permanently removes VNC access from the controller. Users are urged to download and apply this update from the Eppendorf software downloads page. Additionally, Eppendorf recommends that users verify VNC is disabled on the controller, enable security settings so that only Admin and Supervisor roles can change VNC settings, and install Version 5.0 Software as soon as possible.
CISA advises organizations to minimize network exposure for all control system devices, ensuring they are not accessible from the internet. Control system networks should be located behind firewalls and isolated from business networks. When remote access is required, more secure methods such as VPNs should be used, though VPNs themselves should be kept updated.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. However, given the critical severity and the potential impact on healthcare infrastructure, immediate action is recommended. The vulnerability was reported to CISA by BIO-ISAC.
This advisory is part of a broader pattern of vulnerabilities in medical and industrial control systems, highlighting the need for robust security practices in critical infrastructure. Organizations using the BioFlo 320 should prioritize patching and follow the recommended mitigations to prevent potential attacks.