PwnedPiper flaws in PTS systems affect 80% of major US hospitals


Swisslog has released Nexus Control Panel version to address most of the vulnerabilities.

Multiple flaws have been disclosed in the widely-used pneumatic tube system (PTS) that are vulnerable to attacks.

The cyber security researchers from security firm Armis disclosed a set of nine vulnerabilities that has been dubbed PwnedPiper which when exploited can perform multiple attacks against a widely-used pneumatic tube system (PTS).

The Swisslog PTS system are used in the hospitals to automate logistics and the transport of materials throughout the building via a network of pneumatic tubes.

The flaw affects the Translogic PTS system manufactured by Swisslog Healthcare, which is installed in about 80% of all major hospitals in North America and thousands of hospitals worldwide.

It is possible for a threat actor to exploit the PwnedPiper vulnerabilities to completely take over the Translogic Nexus Control Panel, which powers current models of Translogic PTS stations.

The attackers can conduct a broad range of malicious activities, such as carrying out a man-in-the-middle (MitM) attack to change or deploy ransomware.

According to a post published by Armis, these vulnerabilities can enable an unauthenticated attacker to take over Translogic PTS stations and essentially gain complete control over the PTS network of a target hospital. The attackers can perform sophisticated ransomware attacks and can leak sensitive hospital information.

The flaws include privilege escalation, memory corruption, remote-code execution, and denial-of-service issues. An attacker could also push an insecure firmware upgrade to fully compromise the devices.

The vulnerabilities discovered by the researchers include:

  • CVE-2021-37161 – Underflow in udpRXThread
  • CVE-2021-37162 – Overflow in sccProcessMsg
  • CVE-2021-37163 – Two hardcoded passwords accessible through the Telnet server
  • CVE-2021-37164 – Off-by-three stack overflow in tcpTxThread
  • CVE-2021-37165 – Overflow in hmiProcessMsg
  • CVE-2021-37166 – GUI socket Denial of Service
  • CVE-2021-37167 – User script run by root can be used for PE
  • CVE-2021-37160 – Unauthenticated, unencrypted, unsigned firmware upgrade

Most of the above mentioned vulnerabilities are addressed in the new Nexus Control Panel version The CVE-2021-37160 has yet to be addressed.


Please enter your comment!
Please enter your name here