Eppendorf BioFlo 320

Plan PatchCVSS 9.8ICS-CERT ICSMA-26-146-01May 26, 2026

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Eppendorf BioFlo 320 Bioreactor (all versions) contains a vulnerability related to hardcoded credentials or insecure default configuration (CWE-259) that could allow an attacker to gain full access to the bioreactor's functionality and data. The vulnerability relates to Virtual Network Computing (VNC) access on the controller. While VNC ships disabled by default and can only be enabled locally at the tower, the vulnerability permits remote exploitation if VNC is enabled or misconfigured.

What this means

What could happen

An attacker with network access to an affected BioFlo 320 bioreactor could gain complete control of the system, including ability to alter fermentation parameters, stop bioprocess operations, or access sensitive batch and research data stored on the bioreactor controller.

Who's at risk

Biopharmaceutical manufacturers, contract manufacturing organizations (CMOs), and research institutions using Eppendorf BioFlo 320 bioreactors for fermentation, cell culture, and bioprocess development are affected. BioFlo 320 systems are used for clinical and commercial bioproduction of recombinant proteins, monoclonal antibodies, and cell therapies.

How it could be exploited

An attacker on the network sends VNC protocol traffic to the bioreactor controller's VNC port. If VNC is enabled or accessible due to default/weak configuration, the attacker gains unauthenticated or easily-bypassed remote access to the controller interface and can manipulate bioprocess settings or extract data.

Prerequisites

Network-layer access to the bioreactor controller (same subnet or routable network)
VNC enabled on the bioreactor controller (non-default but possible if manually enabled locally)
No firewall rules restricting access to VNC port on the controller

Remotely exploitableNo authentication requiredAffects bioprocess control systemsHigh CVSS score (9.8)Affects all product versions

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

BioFlo 320 BioreactorAll versionsNo fix yet

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDVerify VNC is disabled on the bioreactor controller

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXDownload and apply the Eppendorf software update that permanently removes VNC access from the controller

HARDENINGEnable security settings to restrict VNC configuration changes to Admin and Supervisor roles only

Long-term hardening

0/1

HARDENINGImplement firewall rules to restrict network access to the bioreactor controller from untrusted or non-operational networks

CVEs (1)

CVE-2026-7251

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fdeae3f8-1742-4af7-b6b5-0718e50691a5

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.