Nov 7, 2022

7 Key Armis Research Disclosures revisited as Armis turns 7

Blog Header – Armis7 – OPT 1 (1)


Armis is unique in that we have an in-house research department! This department discovers vulnerabilities and then innovates solutions to find, expose, and mitigate malicious actors in a network. 

Once solutions are created, the in-house team produces disclosures to ensure that vendors are alerted to the potential threats and have all the information needed in order to make patches for the vulnerabilities. 

“Essentially speaking we find vulnerabilities before the bad guys do!”

Barak Hadad
Armis Head of Research

And then the Armis Asset Intelligence Platform comes into play! The platform enables organizations to have 100% complete, unified authoritative asset visibility across their entire network. It also allows you to see which of your assets have vulnerabilities so you can prioritize your time to mitigate them by patching these assets.

As we turn 7, we invite you to review 7 of our key security research disclosures as presented by our in-house team at the time of discovery.


BlueBorne is an attack vector by which hackers can leverage Bluetooth connections to penetrate and take complete control over targeted devices. BlueBorne affects ordinary computers, mobile phones, and the expanding realm of IoT devices. Interestingly, the attack does not require the targeted device to be paired to the attacker’s device or set on discoverable mode.

Armis believes many more vulnerabilities await discovery in the various platforms using Bluetooth. These vulnerabilities are fully operational and can be successfully exploited, as demonstrated in our research. The BlueBorne attack vector can be used to conduct a large range of offenses, including remote code execution and Man-in-The-Middle attacks.


BLEEDINGBIT is two critical vulnerabilities related to the use of BLE (Bluetooth Low Energy) chips made by Texas Instruments (TI). The chips are embedded in, among other devices, certain access points that deliver Wi-Fi to enterprise networks manufactured by Cisco, Meraki, and Aruba. These are the leaders in networking and account for nearly 70% of the market

Armis’ research focused on these network devices. These proximity-based vulnerabilities allow an unauthenticated attacker to break into enterprise networks undetected. Once an attacker takes control over an access point, they can move laterally between network segments and create a bridge between them — effectively breaking network segmentation. Armis has reported the issues to TI and the affected vendors above. We are also working with additional vendors of various connected devices to ascertain whether they are also affected by the BLEEDINGBIT vulnerabilities.


URGENT/11 is comprised of 11 zero-day vulnerabilities in VxWorks®, the most widely used operating system you may have never heard about. VxWorks is used by over 3 billion assets, including critical industrial, medical, and enterprise devices. Dubbed “URGENT/11,” the vulnerabilities reside in VxWorks’ TCP/IP stack (IPnet), impacting all versions since version 6.5. They are also a rare example of vulnerabilities found to affect the operating system over the last 14 years. Six of the vulnerabilities are classified as critical and enable Remote Code Execution (RCE).

The remaining vulnerabilities are classified as denial of service, information leaks, or logical flaws. URGENT/11 is serious as it enables attackers to take over devices with no user interaction required, and can even bypass perimeter security devices such as firewalls and NAT solutions. These devastating traits make these vulnerabilities ‘wormable,’ meaning they can propagate malware into and within networks. Attacks like this have a severe potential, resembling the EternalBlue vulnerability used to spread the WannaCry malware.


CDPwn includes five critical, zero-day vulnerabilities in various implementations of the Cisco Discovery Protocol (CDP) that can allow remote attackers to completely take over devices without any user interaction. CDP is a Cisco proprietary Layer 2 (Data Link Layer) network protocol used to discover information about locally attached Cisco equipment. It is implemented in virtually all Cisco products including switches, routers, IP phones, and cameras. All these devices ship from the factory with CDP enabled by default.

The CERT Coordination Center has also issued an advisory on this vulnerability. CDPwn exposes vulnerabilities that could allow an attacker to fully take over all of these devices.  Four of the five vulnerabilities are remote code execution (RCE) vulnerabilities, while one is a Denial of Service (DoS) vulnerability.


ModiPwn is a new vulnerability (CVE-2021-22779) in Schneider Electric (SE) Modicon PLCs that bypassed security mechanisms added to these PLCs to prevent abuse of undocumented Modbus commands. These undocumented commands can allow full control over the PLC — overwriting critical memory regions, leaking sensitive memory content, or invoking internal functions. 

Armis researchers found that these commands can be used to take over the PLC and gain native code execution on the device. This native code execution can be used to alter the operation of the PLC while hiding the alterations from the engineering workstation that manages it. This attack is unauthenticated and only requires network access to the targeted PLCs.


PwnedPiper is a set of nine critical vulnerabilities in the leading solution for pneumatic tube systems (PTS) in North America – the Translogic PTS system by Swisslog Healthcare. This system is used in over 80% of hospitals in North America and installed in more than 3,000 hospitals worldwide. The vulnerabilities allow for a complete takeover of the Translogic Nexus Control Panel, which powers all current models of Translogic PTS stations. Older IP-connected Translogic stations are also impacted but are no longer supported by Swisslog.

These systems are vital to hospital operations as they automate logistics and transport materials throughout the hospital via a network of pneumatic tubes. These systems are also designed to provide better patient care with automated material transport that includes highly sensitive materials like lab specimens, blood products, pathology lab tests, medications, and more. Today due to their wide adoption, these systems are vital for the proper workflow of hospital operations.


TLStorm is a set of critical vulnerabilities in APC Smart-UPS devices that allow an attacker to take control of these devices. Armis researchers have discovered five new vulnerabilities that share a common source. The root cause for these vulnerabilities was a misuse of NanoSSL, a popular TLS library by Mocana. By exploring similar faulty implementations of the Mocana NanoSSL library in network switches, Armis has discovered these new vulnerabilities in the implementation of TLS communications in multiple models of Aruba (acquired by HP) and Avaya (acquired by ExtremeNetworks) network switches.

Using the Armis Collective Asset Intelligence Engine – database of over 3 billion assets, Armis researchers identified dozens of devices using the Mocana NanoSSL library. The findings include two popular network switch vendors that are affected by a similar implementation flaw of the library, leading to remote code execution (RCE) vulnerabilities that can be exploited over the network. While UPS devices and network switches differ in function and levels of trust within the network, the underlying TLS implementation issues allow for devastating consequences, if attackers are able to identify and exploit TLStorm vulnerabilities.

Next Steps

Find out more about Armis in-house research here:

Get Updates!

Sign up to receive the latest news