The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Illumina Sequencing Instruments Affected by Maximum Severity Vulnerability

Healthcare providers and laboratory personnel have been warned about a maximum severity vulnerability in Illumina Universal Copy Service software used by its DNA sequencing instruments.

The vulnerability affects Illumina products with Illumina Universal Copy Service (UCS) v2.x installed:

  • iScan Controls Software (v4.0.0 and v4.0.5)
  • iSeq 100 (all versions)
  • MiniSeq Control Software (v2.0 and later)
  • MiSeq Control Software (v4.0 RUO Mode)
  • MiSeqDx Operating Software (v4.0.1 and later)
  • NextSeq 500/550 Control Software (v4.0)
  • NextSeq 550Dx Control Software (v4.0 RUO Mode)
  • NextSeq 550Dx Operating Software (v1.0.0 to 1.3.1)
  • NextSeq 550Dx Operating Software (v1.3.3 and later)
  • NextSeq 1000/2000 Control Software (v1.4.1 and prior)
  • NovaSeq 6000 Control Software (v1.7 and prior)
  • NovaSeq Control Software (v1.8)

Affected devices are vulnerable to two flaws, the most serious of which – CVE-2023-1699 – allows binding to an unrestricted IP address. If exploited, a malicious actor could use UCS to listen on all IP addresses, including those capable of accepting remove communications, remotely take control of the affected devices, change device settings, and alter or steal sensitive data. The flaw can be exploited remotely with low attack complexity and has been assigned a CVSS score of 10 out of 10.

The second flaw, tracked as CVE-2023-1966, affects UCS v1.x and v2.0 and is due to unnecessary privileges. A remote attacker could upload and execute code remotely at the operating system level, allowing changes to be made to settings and configurations and sensitive data to be accessed on the affected products. The vulnerability has been assigned a CVSS score of 7.4 out of 10.

Get the FREE
HIPAA Compliance Checklist

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

The vulnerabilities were discovered by Illumina and were reported to the Cybersecurity and Infrastructure Agency (CISA). Illumina says it is unaware of any instances of actual or attempted exploitation of the flaws; however, due to the severity of the vulnerabilities and the ease of exploitation, immediate patching is recommended.

On April 5, 2023, Illumina notified customers about the flaw requesting they check for signs of exploitation. A patch has now been released along with a Vulnerability Instructions Guide to help users address the flaw based on the specific configurations of their devices. The U.S. Food and Drug Administration (FDA) recently issued a warning to healthcare providers and laboratory personnel that the vulnerabilities may present risks for patient results and customer networks. Until the patch can be applied, steps should be taken to reduce the risk of exploitation, including minimizing network exposure, ensuring the affected devices are not accessible over the Internet, locating control system networks and remote devices behind firewalls, and only using secure methods to remotely access the devices, such as a Virtual Private Network (VPN).

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.


Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist