Cybersecurity Announcement: Critical Illumina vulnerabilities (multiple CVEs)

June 7, 2022

About the Event

Four critical vulnerabilities were discovered in Illumina Local Run Manager (LRM), software used by sequencing instruments to aid in genetic analysis. The most severe of these could allow a remote, unauthenticated attacker to take control of affected systems. Three vulnerabilities carry the highest CVSS3 score (10.0), while the fourth has a score of 9.1.

Actions to Consider

Illumina has contacted customers directly with a patch to prevent the vulnerabilities from being remotely exploited and is currently working on a more general fix. Cybersecurity recommends applying the patch immediately and to follow Illumina’s guidance on updating systems when further updates are released.

Event Impact

If exploited, the vulnerabilities could allow remote, unauthenticated attackers to completely take control of affected systems. A CVSS3 score of 10.0 indicates that the attack complexity is low and can be carried out with relative ease using unsophisticated methods. The critical vulnerabilities are tracked as CVE-2022-1517, CVE-2022-1518, CVE-2022-1519, and CVE-2022-1521. Additionally, a fifth vulnerability (CVE-2022-1524) carries a high-severity rating, with a CVSS score of 7.4.

Cybersecurity is not currently aware of any published proofs of concept or of any attacks in the wild.