GE CARESCAPE, ApexPro, and Clinical Information Center systems

Act Now10ICS-CERT ICSMA-20-023-01Jan 23, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

GE CARESCAPE patient monitoring systems, ApexPro telemetry servers, and Clinical Information Center systems contain multiple vulnerabilities (CWE-256, CWE-20, CWE-798, CWE-306, CWE-434, CWE-326) affecting versions: Clinical Information Center 4.X and 5.X; CARESCAPE Central Station 1.X and 2.X; CARESCAPE Telemetry Server 4.3 and earlier; ApexPro Telemetry Server 4.2 and earlier; and B650/B850/B450 monitor units. Successful exploitation occurs if an attacker gains access to the mission-critical (MC) or information exchange (IX) network segments. Exploits could result in loss of patient monitoring and alarms, unauthorized access to protected health information, OS-level compromise of devices, tampering with alarm settings and thresholds, and disruption of remote management services. The vulnerabilities stem from improper network configuration, weak authentication, missing input validation, insecure file handling, and inadequate encryption. GE states no patches will be provided; remediation relies on proper network isolation and configuration per GE technical documentation.

What this means

What could happen

Loss of patient monitoring and critical alarms during active care, potentially allowing dangerous patient condition changes to go undetected. Attackers could alter alarm thresholds, silence alarms, access protected patient information, or disable patient monitoring devices entirely.

Who's at risk

Healthcare facilities operating GE CARESCAPE patient monitoring systems, ApexPro telemetry servers, and Clinical Information Center systems, particularly those with versions 4.2 or earlier. This affects any hospital, urgent care, or clinical setting that depends on continuous patient monitoring for active care decisions.

How it could be exploited

An attacker with access to the mission-critical (MC) or information exchange (IX) network—either through misconfiguration that allows external connectivity or physical access to network jacks—can interact directly with the CARESCAPE or ApexPro systems to extract patient data, modify alarm settings, change OS-level configurations, or disrupt monitoring services. The vulnerabilities include weak or default credentials (CWE-798), missing input validation (CWE-20), and insecure file upload mechanisms (CWE-434).

Prerequisites

Access to the mission-critical (MC) or information exchange (IX) network segment
Either: (1) Network misconfiguration allowing external connectivity to these segments, or (2) Physical access to devices on these networks to plug in directly
No special credentials or authentication bypass required for some exploitation paths

No patch available for any affected productRemotely exploitable if network is misconfiguredDefault or weak credentialsAffects patient safety systems (monitoring and alarm functionality)Loss of alarms poses direct patient safety risk

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (11)

11 EOL

ProductAffected VersionsFix Status

Clinical Information Center (CIC):4.X | 5.XNo fix (EOL)

CARESCAPE Central Station (CSCS):1.XNo fix (EOL)

B450:2.XNo fix (EOL)

B850:2.XNo fix (EOL)

B850:1.XNo fix (EOL)

B650:1.XNo fix (EOL)

B650:2.XNo fix (EOL)

CARESCAPE Central Station (CSCS):2.XNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/5

HARDENINGReview and verify proper network segmentation and isolation of the MC and IX networks per GE's Patient Monitoring Network Configuration Guide and CARESCAPE Network Configuration Guide

HARDENINGConfirm that MC and IX networks cannot be accessed from external networks, DMZ, or clinical information systems that have outside connectivity

HARDENINGImplement access controls and firewall rules to restrict all traffic to/from MC and IX networks to only authorized clinical workstations and devices

HARDENINGChange any default credentials on CARESCAPE, ApexPro, and Clinical Information Center systems to strong, unique passwords

HARDENINGRestrict physical access to network ports and devices on MC and IX networks; document and audit all connection points

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGApply network management best practices including monitoring for unauthorized access attempts and configuration drift on monitoring systems

CVEs (6)

CVE-2020-6961 CVE-2020-6962 CVE-2020-6963 CVE-2020-6964 CVE-2020-6965 CVE-2020-6966

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5af8836f-35b3-4bc3-b23f-6d09c8e5ca02