The Eppendorf BioFlo 320 bioreactor controller is vulnerable to unauthorized full control due to the use of a hard-coded password in its VNC server.

The device uses a hard-coded password for its VNC remote access feature. Furthermore, VNC traffic is transmitted unencrypted, allowing a remote attacker to gain full control of the user interface if they have network access to the device.

This vulnerability poses a significant physical and operational risk. A CVSS score of 9.8 reflects the ability of an attacker to take full control of laboratory equipment, potentially causing damage to experiments, loss of research data, or physical safety hazards in a laboratory setting.

Immediate Action: Contact the vendor for firmware updates and immediately disable VNC access on all exposed BioFlo 320 devices.

Proactive Monitoring: Inspect network traffic for unauthorized VNC connections to laboratory equipment.

Compensating Controls: Isolate BioFlo 320 units on a dedicated, non-routable network or behind a VPN to prevent external access.

Public Exploit Available: false

The use of hard-coded credentials in industrial or scientific equipment is a severe security failure. Organizations must immediately isolate these devices from public-facing networks and work with the vendor to apply necessary security updates or configuration changes.