CISA flags CVE-2026-7251 in Eppendorf BioFlo 320 bioreactors
A hard-coded VNC password ships on every version, the "disabled by default" defense holds only until someone locally enables it, at which point the password is the same on every unit worldwide.
TL;DR
CISA published ICSMA-26-146-01 alerting healthcare and public health operators to CVE-2026-7251 (CVSS 9.8) in Eppendorf BioFlo 320 bioreactors across all versions. A hard-coded VNC password gives any attacker who knows the device's network address full control of the user interface, and VNC traffic is unencrypted. Eppendorf's Version 5.0 software update permanently removes VNC access; operators should also verify VNC is currently disabled and restrict VNC settings to Admin and Supervisor roles. The advisory does not address remediation for legacy or end-of-support versions. Reported by BIO-ISAC.
CISA's advisory covers all production versions of the BioFlo 320, a bioreactor controller used in healthcare and public health settings worldwide. CVE-2026-7251 is straightforward: the VNC server on the device uses a hard-coded password. Any attacker who can reach the controller on the network and knows that password (the same password on every unit ever shipped) gets full access to the control panel with no further authentication required. VNC traffic is unencrypted, so there is no confidentiality protection on the session either. CVSS 3.1 scores this 9.8 (Critical): network-reachable, no privileges required, no user interaction.
The "disabled by default" defense
Eppendorf's mitigation notes that VNC ships disabled and can only be enabled locally at the tower. That is a meaningful architectural constraint, but it narrows rather than eliminates the exposure. Any BioFlo 320 where a technician has previously enabled VNC for remote troubleshooting (a common field practice) is fully exposed until the Version 5.0 update is applied. Operators cannot assume their units are clean without an explicit verification step. Eppendorf has also removed VNC configuration documentation from current operating manuals, which closes the path for future enablement but does nothing for units already configured.
What practitioners do now
Three steps, in order. First, verify VNC is disabled on every BioFlo 320 controller in the environment; don't assume the default persisted. Second, restrict VNC settings so only Admin and Supervisor roles can change them. Third, install Version 5.0 software, available at eppendorf.com/software-downloads, which permanently removes VNC access from the controller.
The advisory is silent on whether Version 5.0 is compatible with all deployed BioFlo 320 hardware revisions or whether organizations running older, potentially unsupported versions have a supported upgrade path. Healthcare operators with legacy units should contact Eppendorf directly before assuming the patch applies. In the interim, CISA's standard ICS guidance applies: isolate control system networks behind firewalls, keep them off internet-facing segments, and route any necessary remote access through a current VPN rather than VNC.
Published ·Updated ·Deep Fathom