A severe security flaw impacting routers and disclosed four years ago has once again returned to the field, but this time, medical devices are potentially at risk.

The vulnerability, known as Misfortune Cookie, has been assigned a severity rating of 9.8.

Otherwise known as CVE-2014-9222, the bug first came on the radar through disclosure by Check Point researchers in 2014.

According to the cybersecurity firm, Misfortune Cookie impacted residential gateway SOHO routers from a variety of vendors. If exploited, the security flaw allowed attackers to remotely hijack devices.

A new security advisory issued by Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) says that the vulnerability has now been found in medical device systems.

The equipment in question is the Datacaptor Terminal Server (DTS), a medical device gateway developed by Qualcomm Life subsidiary Capsule Technologies SAS.

The gateway is used in hospitals to connect medical devices to larger network infrastructure.

See also: FDA one of many ‘toothless dragons’ with no will to tackle medical device security | IoT security warning: Cyber-attacks on medical devices could put patients at risk | KRACK Wi-Fi vulnerability can expose medical devices, patient records | FDA issues recall of 465,000 St. Jude pacemakers to patch security holes

Cybersecurity firm CyberMDX discovered the presence of the flaw which can be exploited by attackers to conduct remote arbitrary memory write, which could lead to unauthorized login and code…

[SOURCE]