Severe Flaws In Illumina DNA Sequencing Technology, CISA Warns

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Apr 28, 2023 10:02 am PST

The DNA sequencing machines used by genomics major Illumina have been found to include a critical software flaw that might be used by hackers to change or steal sensitive patient medical data. The U.S. Food and Drug Administration and cybersecurity agency CISA both issued separate advisories on Thursday warning that the security flaw, known as CVE-2023-1968, and assigned a maximum vulnerability severity rating of 10 out of 10.

It could allow hackers to remotely access a compromised device over the internet without a password. If the flaw is exploited, hackers may be able to compromise devices and cause them to output false, changed, or nonexistent results.

The warnings also include a second vulnerability, CVE-2023-1966, rated 7.4 out of 10 for severity. The flaw might provide hackers access to the operating system level, where they could upload and run malicious programs to change settings and access private information on the impacted product.

The products from Illumina that are vulnerable include: (iScan, iSeq, MiniSeq, MiSeq, MiSeqDx, NextSeq, and NovaSeq). These items, which are used all around the world in the healthcare industry, are made for clinical diagnostic use when sequencing a person’s DNA for different genetic diseases or research needs.

According to David McAlpine, an Illumina spokesperson, the business has not received any reports that a vulnerability has been exploited, nor do we have any proof that any vulnerabilities have been used. McAlpine refused to say how many devices are vulnerable to the flaws or whether Illumina has the technological ability to spot exploitation.

Francis deSouza, the CEO of Illumina, stated in January that the company has more than 22,000 sequencers installed. Illumina CTO Alex Aravanis stated in a LinkedIn post that the vulnerability was found as part of routine efforts to examine its software for potential flaws and exposures.

When this weakness was discovered, Aravanis said, “our team worked to develop mitigations to protect our instruments and customers.” “We then got in touch with regulators and customers and worked closely with them to address the issue with a straightforward, cost-free software update, requiring little to no downtime for most.”

Following the FDA’s announcement last month that medical device manufacturers must adhere to specific cybersecurity standards when filling an application for a new product, news of the Illumina vulnerability has surfaced. Device manufacturers must provide a plan outlining how they will identify and fix vulnerabilities, as well as a software bill of materials listing all of the parts that make up a device.


The Universal Copy Service (UCS) from Illumina, which is used for DNA sequencing in hospitals and labs all over the world, has two vulnerabilities. According to an urgent advisory from the FDA and the U.S. Cybersecurity Infrastructure Security Agency (CISA). A CISA notice published yesterday warns that an unauthenticated malicious actor might upload and execute code remotely at the operating system level. Giving an attacker the ability to alter things like (settings, configurations, software, or access sensitive data) on the compromised product.

California-based Illumina manufactures potent bioanalysis and DNA sequencing equipment. The company’s DNA sequencing equipment is used by clinical, research, academic, biotechnology, and pharmaceutical companies in 140 countries. The FDA directed Illumina to notify impacted customers on April 5, 2023, urging them to review their instruments and medical devices for indications of potential exploitation of the vulnerability.

Some instruments have a dual boot mode that lets users switch between clinical diagnostic and RUO modes. Devices labeled “For Research Use Only” are usually in development. Not for diagnostic usage, though some labs may utilize them alongside clinical diagnostic testing.” First is CVE-2023-1968 (CVSS v3 score: 10.0, “critical”). Remote attackers can bind to accessible IP addresses and listen to all network traffic to locate more vulnerable hosts.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x