Critical Hard‑coded VNC Password in Eppendorf BioFlo 320 Bioreactor (CVE‑2026‑7251) Enables Full Remote Control
What It Is — A hard‑coded password embedded in the VNC server of Eppendorf’s BioFlo 320 bioreactor allows any remote user who can reach the device to authenticate without credentials. The VNC channel is unencrypted, giving the attacker complete control of the user interface and all process parameters.
Exploitability — The vulnerability is publicly disclosed with a CVSS 3.1 score of 9.8 (Critical). No public exploit code has been observed, but exploitation requires only network reachability and knowledge of the default password, making it trivially exploitable in environments where remote VNC is enabled.
Affected Products — Eppendorf BioFlo 320 bioreactor (all firmware versions).
TPRM Impact — The BioFlo 320 is deployed worldwide in pharmaceutical manufacturing, biotech research, and clinical‑grade cell‑culture labs. Compromise could:
- Disrupt critical production runs, causing costly downtime.
- Exfiltrate proprietary process data or introduce malicious process parameters, threatening product quality and regulatory compliance.
- Propagate risk downstream to contract manufacturers and healthcare providers that rely on the bioreactor’s output.
Recommended Actions —
- Apply Eppendorf’s firmware update that permanently removes VNC access from the controller (download from https://www.eppendorf.com/software‑downloads).
- Disable remote VNC on any BioFlo 320 that cannot be patched immediately.
- Network‑segment bioreactor control networks from corporate LANs and enforce strict firewall rules limiting inbound traffic to trusted management stations.
- Audit control‑panel logs for any unauthorized VNC sessions after remediation.
- Update third‑party risk registers to reflect the elevated supply‑chain risk associated with lab‑equipment vendors.
Source: CISA Advisory – ICSMA‑26‑146‑01