Vulnerabilities on Sensor Net Connect and Thermoscan IP Could Allow Admin Privileges Over Medical Data Systems

Vulnerabilities on Sensor Net Connect and Thermoscan IP Could Allow Admin Privileges Over Medical Data Systems

In today's digitally-driven medical environments, the security of connected devices is not just a matter of data integrity, but of patient safety.

Recent security assessments by Nozomi Networks Labs have uncovered four vulnerabilities in the Sensor Net Connect device by Plug&Track, a temperature sensor mainly used in hospitals. Three additional vulnerabilities were also discovered on the accompanying Thermoscan IP desktop application.

Nozomi Networks Labs has tried to contact the vendor multiple times but has never received a response. Thus, no official patch has been provided by the vendor to rectify the vulnerabilities. In agreement with CERT/CC and in accordance with our disclosure policy, we are publicly disclosing these issues with limited technical details, to ensure that asset owners grasp the risks posed by these solutions and can enact appropriate measures to reduce them.

This article provides an overview of these security flaws, their potential impacts, and viable steps for mitigation. For Nozomi Networks customers, our Threat Intelligence feed has been updated to provide protection against these threats.

Research Scope

Plug&Track, a division of Proges Plus, specializes in innovative temperature monitoring and traceability solutions tailored for healthcare, pharmaceuticals, and food industry. Their comprehensive range of products includes stand-alone and real-time data loggers, wireless sensors, and connectivity solutions through Wi-Fi or Ethernet, designed to meet the rigorous standards of highly regulated industries and guarantee the integrity of temperature-sensitive products throughout their lifecycle, from production and storage to transportation.

The Sensor Net Connect V2 (Figure 1) is one of the solutions offered by Plug&Track. It consists of a monitoring device designed to ensure accurate and reliable temperature and humidity control in cold rooms, refrigerators, and freezers, ensuring that everything from perishable food to critical vaccines is stored within safe temperature ranges. This device is pivotal for environments where maintaining specific climate conditions is critical.

Figure 1. Sensor Net Connect V2.

The Linux-based device includes a robust 10/100 BASE-T Ethernet connection for seamless integration into computer networks, allowing for the swift setup and deployment of the device and its sensors. It supports up to three ports, enabling the simultaneous connection of multiple temperature or humidity sensors for extensive monitoring across various environments.

Figure 2. Sensor Net Connect architecture diagram.

Depending on the chosen deployment (Figure 2), collected data can be transmitted either to the Thermotrack Webserver cloud platform, or to the on-premise Thermoscan IP desktop application, to facilitate real-time data viewing and analysis crucial for immediate responses to environmental changes (Figure 3). The latter solution was chosen to setup a testing environment and conduct vulnerability research.

Figure 3. Thermoscan IP desktop application.

What Are the Impacts of These Vulnerabilities?

Through our analysis of the Sensor Net Connect, along with its collector app Thermoscan IP, we identified seven vulnerabilities that can be combined to maximize impact. By exploiting these issues, the following are examples of attack scenarios that could be enacted:

  • Administrator Privileges over Medical Data Systems: Leveraging the vulnerabilities discovered on the Thermoscan IP application, a non-Administrator malicious user might manipulate system settings, install malware, or access and exfiltrate sensitive data, including personal information and confidential files. Furthermore, the user might cover their tracks by altering log files and other evidence of their activities, making detection and remediation more difficult for legitimate administrators.
  • Denial of Service of Medical Monitoring Infrastructure: This interruption could lead to the spoilage of temperature-sensitive medicines and vaccines, resulting in significant financial losses, supply chain issues and potential public health risks due to the unavailability of essential medical products. Although the integrity of the data itself might remain intact, the lack of real-time monitoring could render the data obsolete, undermining the trust in the storage conditions and the efficacy of the affected pharmaceuticals.

To exemplify, some of the implications that may arise for a hypothetical, real-world healthcare provider if those vulnerabilities were exploited could include:

  • System downtime: Disruption of healthcare services due to system tampering.
  • Data manipulation: Alteration or deletion of medical records, potentially compromising patient care and safety.
  • Data breach: Exposure of sensitive patient information, leading to privacy violations.
  • Reputation damage: Erosion of public trust in the healthcare provider's ability to protect patient data and ensure secure operations.

Although these factors are not unique to healthcare, the stakes are higher due to the potential impact on human life, making the need to maintain privacy and confidentiality more complex than in many other industries. Security and risk professionals play a crucial role in providing the expertise needed to manage and maintain this balance, working closely with board members and management to address risks and exposures.

Vulnerability List and Affected Versions

The following table lists all vulnerabilities found on the Sensor Net Connect V2 (FW version 2.24) device, ordered by CVSS v3.1 base score.

CVE IDCWECVSS v3.1 Base ScoreCVSS v3.1 Vector
CVE-2024-31199Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)7.7CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H
CVE-2024-3083Cross-Site Request Forgery (CSRF) (CWE-352)6.6CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
CVE-2024-3082Plaintext Storage of a Password (CWE-256)4.2CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2024-31200Insertion of Sensitive Information Into Sent Data (CWE-201)4.2CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

The table below lists the vulnerabilities found on the Thermoscan IP (20211103) Windows application, sorted by CVSS v3.1 base score.

CVE IDCWECVSS v3.1 Base ScoreCVSS v3.1 Vector
CVE-2024-31202Incorrect Permission Assignment for Critical Resource (CWE-732)8.4CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2024-31201Unquoted Search Path or Element (CWE-428)6.5CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CVE-2024-31203Stack-based Buffer Overflow (CWE-121)4.0CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Vulnerability Spotlight

A prominent vulnerability identified is CVE-2024-31202, an Incorrect Permission Assignment for Critical Resource resulting in the possibility to perform Local Privilege Escalation (LPE) attacks.

Considering the impacts outlined above, a potential attack scenario within a hospital setting involves an unprivileged user, referred to as "unprivileged_user" in Figure 4, who has basic access to a healthcare system where the Thermoscan IP software is installed. In the real world, this may be a third-party application installed on the same device, or a contractor doing maintenance operations on the system.

Figure 4. Unprivileged user accessing a machine with the Thermoscan IP software installed.

As a result of the technical flaw behind CVE-2024-31202, any user defined on the Windows system may execute commands with administrative privileges, regardless of their access level. One of the most typical ways to abuse such a vulnerability is to create a backdoor account and assign it to the Windows “Administrators” group. As a matter of fact, this would allow the attacker persistent access to the system, giving them the ability to alter, view or remove critical data as desired.

This specific attack path was attempted for proof-of-concept purposes on the test setup, and the aftermath is reported in Figure 5. As can be seen, “unprivileged_user" successfully managed to create a new account named "john" and assigned it to the Administrators group, thereby obtaining a powerful backdoor access to the system.

Figure 5. Backdoor user "john" created by leveraging the LPE attack.

Nozomi Networks Labs attempted to contact both ProgesPlus as well as Plug&Track multiple times, both directly via multiple contact channels and indirectly via CERT/CC by reporting the vulnerabilities over the VINCE platform, but no response was obtained from the vendor. As a consequence, strictly in accordance with our vulnerability disclosure policy, we have proceeded to disclose these vulnerabilities publicly, in an effort to ensure the community is aware and can take necessary precautions. Accordingly, this blog post will not cover further technical details, to prevent potential misuse by malicious actors.


As of the publication of this blog, the vendor has not released an official patch to address the vulnerabilities found. Therefore, we advise taking the following proactive measures to mitigate potential risks:

  1. Segregate access: Implement strict access controls for the temperature monitoring infrastructure. This includes preventing regular clients from accessing the web configuration interface, thereby limiting potential points of exploitation.
  2. Monitor logs and accounts: Conduct regular and thorough reviews of logs and user accounts on systems running the Thermoscan IP software. This will help identify and address any suspicious activities early, ensuring that any potential security breaches are caught and remediated swiftly.

These steps are essential to safeguarding the integrity of the temperature monitoring systems until a permanent fix is available from the vendor.