Physical‑access flaw in Radiometer analysers exposes credentials — time for boards to treat device security as a top risk

Physical-access flaw in Radiometer analysers could let attackers extract credentials — boards, this is not your average IT problem

Less than an hour ago a disclosed vulnerability (CVE-2025-14096) revealed that multiple Radiometer analysers contain a design weakness allowing an attacker with physical access to the device to extract credential information from the operating system. A proof‑of‑concept exists and affected customers have been informed; Radiometer says local representatives will contact those customers to discuss a permanent fix and the temporary mitigation is simple but non‑trivial: only authorised people should have physical access to the analyser.

What happened (briefly and without the drama)

According to the advisory, the problem is a weakness in the device design and insufficient credential protection in the operating system. Exploitation requires physical access to the analyser; researchers supplied a working proof‑of‑concept, and at the time of publication Radiometer is not aware of publicly available exploit code. The vendor has notified affected customers and plans to deploy permanent remediation via local support teams.

Why this matters to business and to the board

On the surface this looks like a device‑level issue, but it ripples through procurement, compliance, operations and patient or customer safety. If credentials stored on an analyser are disclosed, attackers can use them to pivot into internal networks, access historical data or integration points, or impersonate services — all outcomes that bite budgets, trust and regulatory standing.

Boards should care because this is a classic example of how physical security, asset management and supplier controls collide. It also illustrates the limits of thinking of cyber as “IT only” — a local, physical weakness in an operational device can escalate into a data protection incident, contractual failures with partners, and regulatory notifications.

How this can escalate if ignored

Letting this sit is not just risky, it’s expensive and embarrassing. Reasonable scenarios include quiet credential harvesting followed by lateral movement, data exfiltration that only becomes visible months later, or attackers using device credentials to tamper with results or integrations — with knock‑on effects on service delivery and trust.

Unhappy consequences that keep leaders awake include regulatory investigations, expensive remediation, contract breaches, and the kind of reputational damage that’s far harder to fix than a patched device. And yes, treating physical access as an afterthought is rather like keeping your parachute in the cupboard: fine until you jump.

Practical steps you should take this afternoon

Start with the fundamentals. The vendor’s short‑term advice — restrict physical access to authorised people — is sensible, but it’s the start, not the finish. Here are pragmatic actions a sensible organisation can take now:

• Immediate controls: enforce strict physical access controls for analysers (locked rooms, access logs, escorts for visitors) and treat them as high‑value assets in your asset inventory.

• Segmentation and least privilege: isolate device networks from core IT networks and avoid shared credentials or cross‑system trust that can be exploited if a device is compromised.

• Credential protection: ensure devices use properly protected storage for secrets and rotate credentials when a device is serviced or transported.

• Supply‑chain and vendor engagement: accept the vendor remediation but demand transparency on timelines and fixes; document supplier responsibilities and patch plans in contracts.

• Incident readiness: update incident response runbooks to include physical‑access device compromise scenarios and test recovery plans — don’t discover gaps during a real event.

How ISO standards and good practice reduce risk

An organised approach cuts across the messy, human parts of this problem. An ISO 27001 information security management system enforces disciplines such as asset management, access control and supplier management so devices like these aren’t forgotten in the inventory or left with weak protections. Controls mapped to ISO 27001 clauses (asset inventory, physical security and supplier relationships) would have highlighted the risk sooner and required mitigation plans.

ISO 22301 business continuity helps ensure that services continue even when a device needs to be taken offline for remediation — essential where analysers are part of critical workflows. Meanwhile, baseline certification like Cyber Essentials and IASME encourage practical controls that reduce exposure to common threats.

People are part of the solution too: targeted security awareness training such as usecure helps staff recognise the importance of physical controls and proper handling procedures, while supplier‑facing clauses and regular audits (which can be supported through Synergos support packages) ensure vendors deliver timely fixes and clear communications.

What a robust, ISO‑aligned response looks like

Short term

Apply the vendor’s temporary mitigation: restrict physical access and log movements. Rotate any exposed credentials where feasible and isolate affected devices from critical networks until patched.

Medium term

Accept and deploy the vendor’s permanent fix, verify it, and insist on proofs of remediation. Update asset registers, review segmentation and add device‑specific controls to your ISMS risk treatment plan.

Longer term

Embed supplier risk management into procurement (contractual remediation SLAs, right to audit), perform threat modelling for physical‑access scenarios, and test incident and continuity plans under realistic conditions.

These are practical measures aligned with ISO 27001 and ISO 22301 that reduce the likelihood and impact of future events — and make the inevitable audit a little less stressful.

If this sounds like a lot, remember: standards aren’t compliance theatre. They are a way to turn fortunate guesses into repeatable practice so the next vulnerability doesn’t become a full‑blown crisis.

Yes, vendors must fix their devices. But your organisation must stop relying on vendor goodwill and start managing device risk actively — that’s the only way to keep operations running, regulators satisfied and customers calm.

Take a moment to check where analysers and other bespoke equipment sit in your asset register, who has physical access, and whether your incident playbooks treat device compromise as ‘real’ — not hypothetical. Your next sensible step could be a targeted ISO 27001 risk review for operational devices, followed by short‑term physical access hardening and a supplier remediation tracker.