BD Vulnerabilities in Pyxis Products

Becton, Dickinson and Company (BD) reported use of default credentials not using password aging in Pyxis products, their automated medication dispensing system

Threat ID:: CC-4104
Threat Severity:: Low
Published:: 1 June 2022 3:20 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Becton, Dickinson and Company (BD) reported use of default credentials not using password aging in Pyxis products, their automated medication dispensing system

Affected platforms

The following platforms are known to be affected:

BD Pyxis

BD Pyxis ES Anesthesia Station
BD Pyxis CIISafe
BD Pyxis Logistics
BD Pyxis MedBank
BD Pyxis MedStation 4000
BD Pyxis MedStation ES
BD Pyxis MedStation ES Server
BD Pyxis ParAssist
BD Pyxis Rapid Rx
BD Pyxis StockStation
BD Pyxis SupplyCenter
BD Pyxis SupplyRoller
BD Pyxis SupplyStation
BD Pyxis SupplyStation EC
BD Pyxis SupplyStation RF auxiliary
BD Rowa Pouch Packaging Systems

Threat details

Introduction

Becton, Dickinson and Company (BD) have reported that the Pyxis product line have default credentials that are not using password aging. There is no report of this vulnerability being exploited in a clinical setting.

The vulnerability known as CVE-2022-22767 affects BD Pyxis products and has a CVSSv3 score of 8.8. To exploit this vulnerability, an attacker would need to gain access to the default credentials, infiltrate a facility’s network, and gain access to individual devices or servers. An attacker could then gain access to electronic protected health information (ePHI) or other sensitive information.

Remediation advice

Affected organisations should review the CISA Medical Advisory (ICSMA-22-151-01) BD Pyxis and the BD security advisory BD Pyxis Products - Default Credentials and follow the relevant workarounds.

Definitive source of threat updates

CVE Vulnerabilities

Status Reserved

CVE-2022-22767

Last edited: 1 June 2022 3:20 pm