Vulnerability Research

Original Cyber Vulnerability Research
Vedere Labs conducts original research into cyber vulnerabilities that impact multiple industries and recommends appropriate mitigation steps. We follow coordinated vulnerability disclosure practices. In cases where our dedicated research team discovers security vulnerabilities in third-party vendors’ software, hardware or products, we make good-faith efforts to privately contact the third-party vendor with details of the findings and give them a chance to fix the issues before releasing the research to the public.
Read Disclosure Policy
Deep Lateral Movement in OT Networks
Forescout’s Vedere Labs presents the first systematic study into deep lateral movement: how advanced adversaries can move laterally among devices at the controller level of OT networks. This tactic allows advanced threat actors to gain deep access to industrial control systems and cross often overlooked security perimeters to perform granular, stealthy manipulations to override functional and safety limitations of controllers.
Latest Research Reports

Analyzing the Security of BGP Message Parsing
This report discusses an often-overlooked aspect of Border Gateway Protocol (BGP) security: vulnerabilities in its software implementations. More specifically, vulnerabilities in BGP message parsing that could be exploited by attackers to achieve a denial of service (DoS) condition on vulnerable BGP peers.

Deep Lateral Movement in OT Networks
Forescout’s Vedere Labs presents the first systematic study into deep lateral movement: how advanced adversaries can move laterally among devices at the controller level of OT networks. This tactic allows advanced threat actors to gain deep access to industrial control systems and cross often overlooked security perimeters to perform granular, stealthy manipulations to override functional and safety limitations of controllers.

OT:ICEFALL - A Decade of Insecure-by-Design Practices in OT
Forescout’s Vedere Labs has discovered a total of 59 vulnerabilities affecting devices from 12 operational technology (OT) vendors caused by insecure-by-design practices in OT. The affected products are known to be prevalent in industries such as oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation.

Ransomware Evolution
In this report, Vedere Labs demonstrates R4IoT: a proof of concept for next-generation ransomware that exploits IoT devices for initial access, targets IT devices to deploy ransomware and cryptominers, and leverages poor OT security practices to cause physical disruption to business operations.

Access:7 - How Supply Chain Vulnerabilities Can Allow Unwelcomed Access to Medical and IoT Devices
Forescout’s Vedere Labs and CyberMDX discovered seven supply chain vulnerabilities, including three that are rated critical by CISA, impacting medical and IoT devices that present an immediate risk to healthcare organizations, as well as the financial services and manufacturing sector.

NUCLEUS:13 - Dissecting the Nucleus TCP/IP Stack
Vedere Labs, with support from Medigate Labs, have discovered a set of 13 new vulnerabilities affecting the Nucleus TCP/IP stack, which we are collectively calling NUCLEUS:13. These vulnerabilities allow for remote code execution, denial of service, and information leak. Nucleus has been in use for nearly 30 years in safety-critical devices, such as anesthesia machines, patient monitors, and others in healthcare.

INFRA:HALT - Jointly discovering and mitigating large-scale OT vulnerabilities
Vedere Labs and JFrog Security Research discover 14 new vulnerabilities affecting closed source TCP/IP stack NicheStack, allowing for Denial of Service or Remote Code Execution primarily affecting operational technology (OT) and industrial control system (ICS) devices.

NAME:WRECK – 9 DNS Vulnerabilities
Vedere Labs, partnering with JSOF Research, disclosed NAME:WRECK, a set of nine Domain Name System (DNS) vulnerabilities that impact four TCP/IP stacks and affect 100+ million IoT devices with the potential to cause either Denial of Service (DoS) or Remote Code Execution, allowing attackers to take targeted devices offline or to gain control over them. Read the report to learn how to protect enterprise IT, IoT and OT devices.

NUMBER:JACK – Weak ISN Generation in Embedded TCP/IP Stacks
In the second study of Project Memoria, Vedere Labs discovers NUMBER:JACK, a set of vulnerabilities related to ISN generation that can be used to hijack or spoof TCP connections.

AMNESIA:33 – 33 Memory-Corruption Vulnerabilities
Vedere Labs discovered 33 new memory-corruption vulnerabilities that impact open source TCP/IP stacks – four scoring as critical. The report details how enterprises can identify these risks and take protective action to avoid breaches.

The Underlying Risks Found in Healthcare Devices
Vedere Labs analyzed Device Cloud data from healthcare organizations to determine how TCP/IP stack vulnerabilities affect them. The report details 20 significant findings and provides four critical recommendations to mitigate risks to your organization.

New Research Identifies Security Risks in Healthcare
Analysis of healthcare delivery organizations reveals insights into increased attack surfaces and security risks.

Enterprise of Things Security Report: The State of IoT Security in 2020
Vedere Labs identifies the top 10 riskiest devices and helps security teams determine the most effective next steps to secure them.

Rise of the Machines – Transforming Cybersecurity Strategy for the Age of IoT
This research paper dives into the Internet of Things (IoT) revolution, the risks and challenges it brings and how to transform your cybersecurity strategy to protect your enterprise network in the age of IoT.

BAS Research Report: The Current State of Smart Building Cybersecurity
The Forescout OT Research Team offers an analysis of its vulnerability and malware research for devices commonly used in building automation system (BAS) networks.

Putting Healthcare Security Under the Microscope
The Internet of Medical Things (IoMT) continues to offer exciting possibilities for healthcare organizations to improve patient care. However, this digital transformation and increase in connectivity is also introducing new privacy and security risks. The device landscape is growing exponentially, adding to the complexity of networks and making it difficult to manage and improve their security posture.

Banking on Security: Leveraging Device Data to Manage Risk in Financial Services
Forescout’s Research team analyzed device deployments from some of the world’s leading financial institutions and identified disturbing findings that indicate a lack of maturity in key areas such as device visibility and network segmentation. The research suggests that many banking and retail devices are within proximity of non-traditional (IoT and OT) devices, exposing networks to elevated opportunities for attackers to move laterally between critical infrastructure and the data center.

Dell Wyse Thin Client Vulnerability
covers two vulnerabilities discovered by Vedere Labs (formerly CyberMDX) and published by Dell on the 21st of December 2020 as CVE-2020-29491 and CVE-2020-29492. The vulnerabilities affect Dell Wyse Thin client devices and once exploited allow attackers to, among other things, remotely run malicious code and access arbitrary files on affected devices.

GE Radiology Vulnerability
MDhex-Ray is a vulnerability discovered by Vedere Labs (formerly CyberMDX) and published by CISA on the 8th of December 2020 as CVE-2020-25179. MDhex-Ray affects a long list of CT, X-Ray, and MRI imaging systems manufactured by GE Healthcare. Successfully exploiting the vulnerability may expose sensitive data – such as PHI – or could allow the attacker to run arbitrary code, which might impact the availability of the system and allow manipulation of PHI.

From Events to TTPs: Maturing OT Incident Response with MITRE ATT&CK for ICS
The growing threat landscape for operational technology (OT) networks, exemplified by a number of recent ransomware attacks, has prompted critical infrastructure organizations to better prepare themselves for impactful cyber incidents. To do this, stakeholders responsible for critical infrastructure and services are maturing their security operations centers (SOCs) and increasing their use of cyber threat intelligence (CTI). Many now consider adversarial Tactics, Techniques and Procedures (TTPs) to be their most valuable CTI tool.

Ripple20 Vulnerability
Vedere Labs Team (formerly CyberMDX) Assisted JSOF Research Team In Disclosing 19 Vulnerabilities Found In the Treck Network Stack.

MDhex Vulnerability
Affecting a range of CARESCAPE patient monitoring devices manufactured by GE Healthcare, the bundle of vulnerabilities collectively disclosed in CISA Advisory ICSMA-20-023-01, first came to the attention of CyberMDX, a Forescout Company security researchers through an investigation into the CIC Pro device.

GE Anesthesia and Respiratory Device Vulnerability
Vedere Labs' (formerly CyberMDX) research team discovered a vulnerability related to the GE Aestiva and GE Aespire devices (models 7100 and 7900). If an attacker gains access to a hospital’s network and if the GE Aestiva or GE Aespire devices are connected via terminal servers, the attacker can force the device(s) to revert to an earlier, less secure version of the communication protocol and remotely modify parameters without authorization. When deployed using terminal servers, these manipulations can also be performed without any prior knowledge of IP addresses or location of the anesthesia machine.

BD Alaris AGW Firmware Vulnerability
A previously undocumented vulnerability in the device, noting that the AlarisTM Gateway workstation supports a firmware upgrade that can be executed without any predicate authentication or permissions. Conducting a counterfeit version of this upgrade can allow bad actors a route to “authenticate” malicious content.

BD Alaris AGW Web Management Vulnerability
a previously undocumented vulnerability in the device, noting that the web management system doesn’t require credentials and doesn’t allow for password protection. As a result, anyone knowing the IP address of a targeted workstation can: monitor pump statuses, access event logs, and user guide; change the gateway’s network configuration; restart the gateway (after changing the configuration you are permitted to restart).

BD Alaris TIVA Syringe Pump Vulnerability
Vedere Labs (formerly CyberMDX) discovered a previously undocumented vulnerability in the device, noting that when the syringe is connected to a network, it is left exposed to remote control from anyone on that network, requiring no authentication. The remote control allows starting/stopping of the pump, changing its rate, silencing alarms, and more.

Qualcomm Life Capsule Datacaptor Terminal Server Vulnerability
