Eppendorf BioFlo 320

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-146-01.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could allow an attacker to gain full access to functionality and data with the bioreactor. /strong /p p The following versions of Eppendorf BioFlo 320 are affected: /p ul li BioFlo 320 Bioreactor vers:all/* /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 9.8 /td td Eppendorf /td td Eppendorf BioFlo 320 /td td Use of Hard-coded Password /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Healthcare and Public Health /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Germany /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2026-7251 /a /h3 div class= csaf-accordion-content p The affected product is vulnerable to due to VNC server using a hard-coded password. If a remote attacker knows the network address of any BioFlo 320 model with remote access enabled, they can gain full control of the user interface by using this password. Once connected, the attacker would have full access to all control panel features for the BioFlo 320. VNC traffic is not encrypted. /p p a href= https://www.cve.org/CVERecord?id=CVE-2026-7251 View CVE Details /a /p hr h4 Affected Products /h4 h5 Eppendorf BioFlo 320 /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br Eppendorf /div div class= ics-version strong Product Version: /strong br Eppendorf BioFlo 320 Bioreactor: vers:all/* /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Mitigation /strong br Eppendorf has released a software update that permanently removes VNC access from the controller. Users should download and apply this update from: https://www.eppendorf.com/software-downloads. br a href= https://www.eppendorf.com/software-downloads https://www.eppendorf.com/software-downloads /a /p p strong Mitigation /strong br All affected BioFlo 320 systems always shipped with Virtual Network Computing (VNC) disabled by default, and VNC can only be enabled locally at the tower. Eppendorf has removed VNC configuration information from all current documentation, so it no longer appears in BioFlo 320 Operating Manuals. /p p strong Mitigation /strong br Eppendorf recommends user do the following: br Verify that VNC is disabled on the controller br Enable security so that only A