Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump Vulnerabilities (Update A)

Act NowCVSS 3.7ICS-CERT ICSMA-17-250-02ASep 7, 2017

Healthcare

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

The Medfusion 4000 Wireless Syringe Infusion Pump contains multiple vulnerabilities in wireless communication and command authentication that allow an attacker on the network to intercept, modify, or inject infusion commands. Affected vulnerabilities include buffer overflow (CWE-120, CWE-125), hardcoded credentials (CWE-798), weak access controls (CWE-284, CWE-260), insecure credentials storage (CWE-259), and improper certificate validation (CWE-295). An attacker could alter drug delivery rates, stop infusions, or cause other unintended pump behavior without authentication.

What this means

What could happen

An attacker with network access to the Medfusion 4000 wireless pump could intercept, modify, or spoof infusion commands, potentially altering drug delivery rates or stopping treatment. This could cause patient harm through incorrect medication dosing or therapy interruption.

Who's at risk

Healthcare facilities using Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pumps in any version (1.1, 1.5, or 1.6) should care about this vulnerability. Infusion pumps are critical life-support equipment in intensive care, oncology, and general ward settings. Any disruption or malfunction can directly impact patient safety during drug delivery.

How it could be exploited

An attacker on the same network or with wireless range of the device could intercept unencrypted or weakly encrypted communications between the pump and the wireless network. By spoofing the pump or the control station, the attacker could send forged infusion commands (rate changes, stop/start) without authentication. The device trusts these commands and executes them directly on the infusion mechanism.

Prerequisites

Network access to the Medfusion 4000 device (wired or wireless)
Line-of-sight or wireless range to the device
Knowledge of the wireless protocol or command structure
Ability to capture or inject network traffic

Remotely exploitable over networkLow authentication complexityWeak encryption or default wireless settingsDirect impact on safety-critical medical deviceHigh EPSS score (25.8%)No patch available for versions 1.1 and 1.5Medical device end-of-life considerations

Exploitability

Likely to be exploited — EPSS score 25.8%

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Medfusion 4000 Wireless Syringe Infusion Pump:1.11.6.1

Medfusion 4000 Wireless Syringe Infusion Pump:1.61.6.1

Medfusion 4000 Wireless Syringe Infusion Pump:1.51.6.1

Remediation & Mitigation

0/5

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Medfusion 4000 pump to firmware version 1.6.1 or later to mitigate known vulnerabilities

HARDENINGRestrict wireless access to the pump to authorized control stations using MAC address filtering or network access controls

Long-term hardening

0/3

HARDENINGSegment the infusion pump network from general hospital IT networks using a dedicated VLAN or isolated wireless network

HARDENINGImplement wireless encryption (WPA2 or better) on the network segment where the pump communicates

HARDENINGMonitor the pump network for unauthorized devices or unexpected command traffic

CVEs (8)

CVE-2017-12718 CVE-2017-12722 CVE-2017-12725 CVE-2017-12720 CVE-2017-12724 CVE-2017-12726 CVE-2017-12721 CVE-2017-12723

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8d758444-bd7d-4d03-90b6-94f32c3e5ac9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.