BD Pyxis
Monitor6.8ICS-CERT ICSMA-18-114-01Apr 24, 2018
Attack VectorAdjacent
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
BD Pyxis medication dispensing and supply management systems contain a WPA2 encryption vulnerability (KRACK - Key Reinstallation AttaCK) in Wi-Fi communication. Successful exploitation could allow an attacker to decrypt and manipulate encrypted data traffic, resulting in unauthorized access to medication transaction data or injection of false commands into the pharmacy workflow. The vulnerability affects all versions of BD Pyxis Anesthesia ES, Anesthesia System 3500/4000, MedStation ES/4000 T2, SupplyStation, Supply Roller, ParAssist, PARx (handheld and workstation), CIISafe Workstation, and StockStation System. BD has stated that third-party vendor patches are being deployed through routine channels for most devices, but some require direct coordination. No instances of active malicious exploitation have been reported.
What this means
What could happen
An attacker within Wi-Fi range could intercept and manipulate encrypted communications between BD Pyxis medication dispensing and supply management systems, potentially allowing unauthorized access to sensitive medication data or injection of malicious commands into the pharmacy workflow.
Who's at risk
Pharmacy and supply chain operations at hospitals and healthcare facilities using BD Pyxis medication dispensing systems, automated supply stations, and anesthesia management systems. This affects clinical staff relying on these systems for medication access, inventory control, and tracking. The Pyxis product family includes medication dispensing cabinets (MedStation, SupplyStation), anesthesia carts (Anesthesia ES, 3500, 4000), surgical supply systems (ParAssist, PARx), and inventory management (StockStation, CIISafe).
How it could be exploited
An attacker positioned within Wi-Fi range of the facility (nearby parking lot, adjacent building) exploits the WPA2 KRACK vulnerability to decrypt and manipulate traffic between a Pyxis device and the network. They could intercept pharmacy transactions, medication access logs, or inject commands that alter medication availability or access permissions. This requires the device to be Wi-Fi connected and the attacker to be within radio range.
Prerequisites
- Wi-Fi network connectivity to the affected Pyxis device
- Physical proximity to the facility (Wi-Fi range, typically 100-300 feet depending on antenna strength)
- No special credentials or authentication required
No patch available for most devices (end-of-life or no vendor commitment)Low complexity to exploit (KRACK is a known Wi-Fi protocol weakness)Physical proximity required but attacker does not need authenticationAffects safety-critical pharmacy workflow and medication access controlsPotential for data integrity violations (manipulation of medication transaction records)
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (12)
12 EOL
ProductAffected VersionsFix Status
Certain BD Pyxis Products - BD Pyxis Anesthesia ES,All versionsNo fix (EOL)
Certain BD Pyxis Products - BD Pyxis Anesthesia System 4000,All versionsNo fix (EOL)
Certain BD Pyxis Products - BD Pyxis Anesthesia System 3500,All versionsNo fix (EOL)
Certain BD Pyxis Products - BD Pyxis MedStation 4000 T2,All versionsNo fix (EOL)
Certain BD Pyxis Products - BD Pyxis SupplyStation,All versionsNo fix (EOL)
Certain BD Pyxis Products - BD Pyxis Supply Roller,All versionsNo fix (EOL)
Certain BD Pyxis Products - BD Pyxis ParAssist System,All versionsNo fix (EOL)
Certain BD Pyxis Products - BD Pyxis PARx,All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDIf patch deployment cannot be scheduled immediately, disable Wi-Fi on non-essential Pyxis devices and use wired Ethernet connectivity where feasible
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXContact BD to schedule patch deployment for your specific Pyxis devices; BD is actively coordinating with users on a per-device basis
HARDENINGConduct a site survey to identify all Wi-Fi-connected Pyxis devices and document their locations and operational criticality
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Certain BD Pyxis Products - BD Pyxis Anesthesia ES,, Certain BD Pyxis Products - BD Pyxis Anesthesia System 4000,, Certain BD Pyxis Products - BD Pyxis Anesthesia System 3500,, Certain BD Pyxis Products - BD Pyxis MedStation 4000 T2,, Certain BD Pyxis Products - BD Pyxis SupplyStation,, Certain BD Pyxis Products - BD Pyxis Supply Roller,, Certain BD Pyxis Products - BD Pyxis ParAssist System,, Certain BD Pyxis Products - BD Pyxis PARx,, Certain BD Pyxis Products - BD Pyxis StockStation System, and, Certain BD Pyxis Products - BD Pyxis CIISafe - Workstation,, Certain BD Pyxis Products - BD Pyxis MedStation ES,, Certain BD Pyxis Products - BD Pyxis Parx handheld. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate Pyxis devices on a separate VLAN with strict access controls; restrict Wi-Fi connectivity to essential administrative and clinical access only
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/093d6871-2269-4c38-b40d-061c323257c8