The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Food and Drug Administration (FDA) have issued an advisory about critical security vulnerabilities in Illumina’s next-generation sequencing (NGS) software.
Three of the flaws are rated 10 out of 10 for severity on the Common Vulnerability Scoring System (CVSS), with two others having severity ratings of 9.1 and 7.4.
The issues impact software in medical devices used for “clinical diagnostic use in sequencing a person’s DNA or testing for various genetic conditions, or for research use only,” according to the FDA.
“Successful exploitation of these vulnerabilities may allow an unauthenticated malicious actor to take control of the affected product remotely and take any action at the operating system level,” CISA said in an alert.
“An attacker could impact settings, configurations, software, or data on the affected product and interact through the affected product with the connected network.”
Affected devices and instruments include NextSeq 550Dx, MiSeq Dx, NextSeq 500, NextSeq 550, MiSeq, iSeq 100, and MiniSeq using Local Run Manager (LRM) software versions 1.3 to 3.1.
The list of flaws is as follows -
In addition to permitting remote control over the instruments, the flaws could be weaponized to compromise patients’ clinical tests, resulting in incorrect or altered results during diagnosis.
While there is no evidence that the flaws are being exploited in the wild, it’s recommended that customers apply the software patch released by Illumina last month to mitigate any potential risk.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.