Security News > 2021 > June > Zoll Defibrillator Dashboard would execute contents of random Excel files ordinary users could import
A defibrillator management platform was riddled with vulnerabilities including a remote command execution flaw that could seemingly be invoked by uploading an Excel spreadsheet to the platform.
Or so warned the US's Cybersecurity and Infrastructure Security Agency, which said the Defibrillator Dashboard software, made by medical devices firm Zoll, contained six flaws in total, the combined effect of which could present an infosec Swiss cheese for malicious people to exploit.
As well as allowing low-privileged users to upload files that the dashboard software would then execute, it was saving user credentials in plaintext, stored passwords in "a recoverable format" permitting their extraction from web browsers, and was also vulnerable to cross-site scripting attacks.
Zoll had not responded to a request for comment from The Register by the time of publication.
NHS Digital said it was investigating how many instances of Zoll Defibrillator Dashboard had been deployed across the British state-run health service's estate.
Zoll has an active sales presence in the UK and its defibrillator products are listed on several online medical device shops.