Collectively referred to as NUCLEUS:13, the issues likely affect safety-critical devices, such as anesthesia machines, patient monitors and other types of devices used in healthcare. Other types of operational technology (OT) systems are also impacted.

The most important of the newly identified issues is CVE-2021-31886 (CVSS score of 9.8), a stack-based buffer overflow that exists because the FTP server fails to properly validate the length of the “USER” command. An attacker could exploit the vulnerability to cause a denial of service (DoS) condition or to achieve remote code execution.