Eppendorf BioFlo 320

What Happened

Eppendorf BioFlo 320 bioreactors have a critical security flaw where a built-in, unchangeable password is used for remote access. If the remote access feature is turned on, anyone on the network can take full control of the device. This matters because unauthorized access to medical and research equipment could compromise sensitive data or disrupt operations. Users should immediately verify that remote access is disabled and install the Version 5.0 software update provided by Eppendorf.

Key Takeaways

• Eppendorf BioFlo 320 bioreactors contain a critical hard-coded password vulnerability (CVE-2026-7251) in their VNC server.
• Exploitation allows unauthenticated remote attackers to gain full control of the bioreactor's user interface and data.
• VNC is disabled by default, but if enabled, the traffic is unencrypted and vulnerable to interception and unauthorized access.
• Eppendorf has released Software Version 5.0, which permanently removes VNC access from the controller.

Affected Systems

• Eppendorf BioFlo 320 Bioreactor (all versions prior to 5.0)

Vulnerabilities (CVEs)

• CVE-2026-7251

Attack Chain

An attacker identifies an Eppendorf BioFlo 320 bioreactor on the network with VNC remote access enabled. The attacker connects to the VNC server using a known hard-coded password. Upon successful authentication, the attacker gains full control over the bioreactor's user interface, allowing them to manipulate functionality and access data.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: None — ICS and bioreactor devices typically do not support the installation of standard EDR agents. Network Visibility: High — VNC traffic is unencrypted and uses standard, identifiable network protocols, making it highly visible to network monitoring tools. Detection Difficulty: Moderate — Detecting VNC traffic to an ICS device is straightforward, but distinguishing legitimate administrative use from malicious use using the hard-coded password may require deep packet inspection or strict baseline comparisons.

Required Log Sources

• Network flow logs
• Firewall logs
• IDS/IPS alerts

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for any VNC traffic (typically port 5900) originating from or destined to Eppendorf BioFlo 320 bioreactor IP addresses.	Network flow logs, Firewall logs	Initial Access / Command and Control	Low

Control Gaps

• Lack of encryption for VNC traffic
• Inability to install endpoint agents on proprietary ICS devices

Key Behavioral Indicators

• Unexpected VNC connections to ICS network segments
• Unencrypted VNC traffic directed to bioreactor IPs

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Verify locally at the tower that VNC is disabled on all Eppendorf BioFlo 320 controllers.
• Enable security settings so that only Admin and Supervisor roles can change VNC configurations.
• Install Version 5.0 Software from Eppendorf as soon as possible to permanently remove VNC access.

Infrastructure Hardening

• Minimize network exposure for all control system devices and ensure they are not accessible from the internet.
• Isolate control system networks and remote devices behind firewalls, separating them from business networks.
• If remote access is absolutely required for other devices, utilize secure methods such as updated VPNs.

User Protection

• N/A

Security Awareness

• Ensure ICS operators are aware of the risks of enabling unencrypted remote access protocols like VNC on critical equipment.

MITRE ATT&CK Mapping

• T1078.001 - Valid Accounts: Default Accounts
• T1219 - Remote Access Software
• T1190 - Exploit Public-Facing Application