Baxter ExactaMix (Update A)

Act Now8.1ICS-CERT ICSMA-20-170-01Jun 18, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Multiple vulnerabilities in Baxter ExactaMix compounder models allow unauthorized access to sensitive data, modification of system configuration and drug compounding parameters, and disruption of service. The vulnerabilities stem from weak credential management (CWE-259), unencrypted communications (CWE-319), insufficient access controls (CWE-284), and improper input validation (CWE-20). Affected models are EM2400 (versions 1.10, 1.11, 1.13, 1.14) and EM1200 (versions 1.1, 1.2, 1.4, 1.5). These are actively being exploited in the wild.

What this means

What could happen

An attacker with network access to an ExactaMix compounder could gain unauthorized access to the device, steal sensitive data about patient medications, alter drug compounding parameters, or disrupt medication preparation operations.

Who's at risk

Hospital pharmacy departments and compounding centers using Baxter ExactaMix EM2400 or EM1200 automated drug compounders. This affects patient safety operations directly, as these devices are responsible for preparing intravenous medications and other critical compounds.

How it could be exploited

An attacker on the network can exploit weak security controls (hardcoded credentials, unencrypted communications, or insufficient access controls) on an ExactaMix compounder to gain remote access. Once inside, the attacker can read configuration data, modify drug formulations and mixing ratios, or stop the compounding process entirely.

Prerequisites

Network access to the ExactaMix device (port/protocol not specified in advisory)
Device running an affected version (EM2400 v1.10/1.11/1.13/1.14 or EM1200 v1.1/1.2/1.4/1.5)
No authentication required based on high severity and CVE patterns

remotely exploitableno authentication requiredactively exploited (KEV)high EPSS score (94%)affects healthcare/patient safety operationsno patch available for some versionsweak credential and encryption controls

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

ExactaMix EM1200:1.1 | 1.2 | 1.4 | 1.5Version 1.4 or later

ExactaMix EM2400:1.10 | 1.11 | 1.13 | 1.14Version 1.13 (for 1.10 and 1.11) or later

Remediation & Mitigation

0/4

Do now

0/4

HOTFIXContact Baxter service support to upgrade ExactaMix EM2400 to Version 1.13 or later, or ExactaMix EM1200 to Version 1.4 or later

HARDENINGRequest and implement the ExactaMix Cybersecurity Guide from Baxter (contact productsecurity@baxter.com) for best practices on securing the device

HARDENINGSegment the ExactaMix compounder on a dedicated network or VLAN separate from general IT systems and restrict network access using firewall rules

WORKAROUNDMonitor network traffic to and from the ExactaMix device for unauthorized access attempts

CVEs (7)

CVE-2020-12016 CVE-2020-12012 CVE-2020-12008 CVE-2020-12032 CVE-2020-12024 CVE-2020-12020 CVE-2017-0143

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4288813c-b5d2-4b2a-8ff1-001544760e03