Philips Brilliance Computed Tomography (CT) System (Update A)

Plan Patch8.4ICS-CERT ICSMA-18-123-01May 3, 2018

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple privilege escalation and hard-coded credential vulnerabilities exist in Philips Brilliance CT systems. Successful exploitation allows an attacker with local access to gain elevated privileges and access unauthorized system resources, including patient health information, system files, directories, and configuration settings. Vulnerabilities affect confidentiality, integrity, and availability of the imaging system. Philips has remediated hard-coded credentials in Brilliance iCT 4.x and later versions through credential management capabilities accessible via the Philips InCenter. The MX8000 Dual EXP has been unsupported since 2017; Philips recommends replacement. No other patches are currently available for earlier Brilliance CT models.

What this means

What could happen

An attacker with local access to a Philips Brilliance CT system could gain elevated privileges and access patient health records, modify system settings, or disrupt imaging operations. This creates risks to patient privacy and system availability in a healthcare facility.

Who's at risk

Healthcare facilities operating Philips Brilliance CT imaging systems, specifically radiology departments and diagnostic centers. Affected models include Brilliance CT Big Bore, Brilliance iCT, Brilliance iCT SP, and Brilliance 64. Vulnerability impacts confidentiality (patient data), integrity (system settings), and availability (imaging operations).

How it could be exploited

An attacker with physical or local network access to the CT system could exploit hard-coded credentials or privilege escalation vulnerabilities to gain elevated system access. Once privileged, they could execute commands, read/modify patient data, or alter system configuration files.

Prerequisites

Local access to the CT system console or local network segment
No credentials required for initial access (hard-coded credentials present)
Direct interaction with the operating system or network services on the affected CT device

No patch available for most affected modelsHard-coded credentials presentAffects medical imaging equipmentImpacts patient health information (PHI) confidentialityLow local complexity exploitation

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (4)

2 with fix2 EOL

ProductAffected VersionsFix Status

Brilliance CT Big Bore:≤ 2.3.5No fix (EOL)

Brilliance iCT:≤ 4.1.64.x and above (partial remediation for hard-coded credentials only)

Brilliance 64:≤ 2.6.2No fix (EOL)

Brilliance iCT: SP≤ 3.2.44.x and above (partial remediation for hard-coded credentials only)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDReview and change any default or hard-coded credentials on affected systems if possible through the Philips InCenter credential management portal

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Brilliance iCT systems to version 4.x or later, which includes remediated hard-coded credentials

Long-term hardening

0/1

HOTFIXFor MX8000 Dual EXP systems (out of support since 2017), plan replacement with current Philips CT equipment

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Brilliance CT Big Bore:, Brilliance 64:. Apply the following compensating controls:

HARDENINGFor systems that cannot be updated, restrict physical and network access to CT system consoles and administrative interfaces using access controls and network segmentation

CVEs (3)

CVE-2018-8853 CVE-2018-8861 CVE-2018-8857

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cad10286-4948-41fc-8ff7-e204365d2ff9