PatchSiren cyber security CVE debrief
CVE-2016-8355 Smiths Medical CVE debrief
CVE-2016-8355 is a critical privilege-escalation issue in Smiths-Medical CADD-Solis Medication Safety Software versions 1.0, 2.0, 3.0, and 3.1. A successfully authenticated user may gain elevated SQL-database privileges, which can be used to modify drug libraries, add and delete users, and change permissions. The CVE was published on 2017-02-13 and the supplied NVD record was later modified on 2026-05-13.
- Vendor
- Smiths Medical
- Product
- CVE-2016-8355
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-13
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-13
- Advisory updated
- 2026-05-13
Who should care
Healthcare organizations using CADD-Solis, especially clinical engineering, biomedical device administrators, hospital IT/security teams, and any staff responsible for drug-library updates or user administration.
Technical summary
The supplied NVD record rates this issue CVSS 3.0 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and maps it to CWE-306. The core flaw is that an authenticated user can obtain elevated privileges on the SQL database, creating a path to alter drug libraries and account permissions. The vendor note in the supplied description says physical access to the pump is required to install drug library updates, which is an important deployment caveat when assessing real-world exposure.
Defensive priority
Urgent: this is a critical-impact issue in a safety-sensitive medical environment, and affected environments should validate exposure and remediate using vendor and ICS guidance as quickly as possible.
Recommended defensive actions
- Inventory all affected CADD-Solis Medication Safety Software deployments and confirm whether versions 1.0, 2.0, 3.0, or 3.1 are present.
- Restrict authenticated access to the SQL database and update workflow to the minimum necessary users and roles.
- Review and tighten permissions for drug-library changes, user creation/deletion, and permission changes.
- Follow the vendor and ICS-CERT guidance referenced in the supplied record (ICSMA-16-306-01 and the linked advisory references) for remediation and operational controls.
- Verify and log physical access controls for pump update procedures, and keep change-management records for any drug-library updates.
- After any update or remediation, validate drug libraries and user permissions before returning systems to clinical use.
Evidence notes
All substantive claims in this debrief are drawn from the supplied CVE description, the supplied NVD metadata, and the referenced advisory links. The supplied record identifies affected versions 1.0/2.0/3.0/3.1, lists the CVSS vector, and cites ICS-CERT advisory ICSMA-16-306-01 plus a SecurityFocus BID entry. The vendor statement in the supplied description notes that physical access to the pump is required to install drug library updates.
Official resources
-
CVE-2016-8355 CVE record
CVE.org
-
CVE-2016-8355 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, US Government Resource
Publicly disclosed on 2017-02-13; the supplied official record was later modified on 2026-05-13.