CVE-2025-15653: Dräger Zeus Privilege Escalation Flaw

CVE-2025-15653 Overview

CVE-2025-15653 is a local security vulnerability affecting Dräger Zeus Infinity Empowered (Zeus IE) and Zeus RS C500 anesthesia workstations. The flaw stems from unprotected USB interfaces that allow individuals with physical access to compromise software integrity. Attackers can impair therapy functions, manipulate device-processed data, or use the device as a pivot point for network-based attacks when the workstation is connected to a network or Dräger Service Connect. The vulnerability is classified under CWE-668: Exposure of Resource to Wrong Sphere.

Critical Impact

Physical USB access enables full compromise of software integrity on critical medical devices used during anesthesia procedures, with potential lateral movement into connected hospital networks.

Affected Products

• Dräger Zeus Infinity Empowered (Zeus IE) anesthesia workstation
• Dräger Zeus RS C500 anesthesia workstation
• Dräger Service Connect (when connected device is exploited as pivot)

Discovery Timeline

• 2026-06-02 - CVE-2025-15653 published to NVD
• 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2025-15653

Vulnerability Analysis

The vulnerability resides in the USB interfaces of the Zeus IE and Zeus RS C500 anesthesia workstations. The interfaces lack access controls that would otherwise prevent unauthorized peripherals from interacting with the device. An attacker with brief physical access to the workstation can connect a malicious USB device and influence the software running on the workstation.

Because anesthesia workstations execute therapy-critical workloads, any compromise of software integrity can directly affect patient safety. The advisory describes three concrete impact paths: impairment of therapy functions, manipulation of data the device processes, and abuse of the workstation as a pivot to attack other systems on the hospital network or the Dräger Service Connect remote service infrastructure.

Root Cause

The root cause is improper exposure of a resource to the wrong sphere [CWE-668]. The USB subsystem is exposed to physically present, unauthenticated users without enforcement of integrity controls, device whitelisting, or authentication of attached peripherals. Operating in a clinical environment does not constitute a sufficient compensating control.

Attack Vector

Exploitation requires physical proximity to the device. An adversary inserts a crafted USB device into an exposed port on the anesthesia workstation. The attack does not require user interaction beyond the physical connection, nor does it require existing privileges on the device. Once the malicious peripheral is enumerated, the attacker can alter software behavior, tamper with processed data, or establish a foothold for follow-on network operations.

No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Dräger Product Security Advisory and the VulnCheck Security Advisory for vendor-supplied technical detail.

Detection Methods for CVE-2025-15653

Indicators of Compromise

• Unexpected USB device enumeration events on Zeus IE or Zeus RS C500 workstations outside of authorized service windows.
• Anomalous changes to device configuration, software components, or therapy parameters following a service or maintenance event.
• Unexplained outbound network connections from the workstation or from Dräger Service Connect endpoints linked to the device.

Detection Strategies

• Maintain physical inventory and tamper-evident seals on USB ports, and verify integrity during clinical shift handovers.
• Correlate badge access logs to the procedure room with workstation event logs to identify out-of-band physical access.
• Monitor adjacent hospital network segments for new or unusual traffic originating from the IP addresses assigned to anesthesia workstations.

Monitoring Recommendations

• Forward network telemetry from the biomedical VLAN hosting the workstations to a centralized monitoring platform for behavioral baselining.
• Alert on lateral movement attempts, SMB or RDP scans, and authentication anomalies sourced from medical device subnets.
• Track Dräger Service Connect session metadata and flag sessions that do not align with scheduled vendor maintenance.

How to Mitigate CVE-2025-15653

Immediate Actions Required

• Restrict physical access to Zeus IE and Zeus RS C500 workstations to authorized clinical and biomedical engineering staff only.
• Disable, block, or physically cover unused USB ports on affected workstations using port-locking hardware.
• Disconnect the workstation from hospital networks and Dräger Service Connect when remote service is not actively required.

Patch Information

At the time of publication, Dräger has issued a Product Security Advisory (PSA 25-349) describing the vulnerability and recommended compensating controls. Operators should consult the Dräger Product Security Advisory for current remediation guidance and contact Dräger service representatives to confirm whether a firmware or software update is available for their specific device configuration.

Workarounds

• Enforce strict procedural controls so that only Dräger-authorized service personnel connect USB media to the workstations.
• Use dedicated, scanned, and write-protected USB media for any authorized data transfer, and never reuse media between devices.
• Segment anesthesia workstations into an isolated biomedical VLAN with egress filtering to limit pivot opportunities.
• Disable Dräger Service Connect when not in active use and require explicit operator authorization to enable remote service sessions.

# Example network segmentation policy (vendor-neutral)
# Restrict the biomedical VLAN hosting Zeus workstations to required flows only

deny  ip  any            biomed_zeus_vlan  any
permit tcp draeger_svc   biomed_zeus_vlan  eq 443
permit udp ntp_servers   biomed_zeus_vlan  eq 123
deny  ip  biomed_zeus_vlan corp_network    any  log