Baxter Sigma Spectrum Infusion Pumps (Update B)

Plan Patch8.6ICS-CERT ICSMA-20-170-04Jun 18, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Baxter Spectrum Infusion Pump models 35700BAX, 35700BAX2, 35700BAX3, and Spectrum LVP variants contain vulnerabilities in wireless and network communication (CWE-259: hardcoded credentials, CWE-319: cleartext transmission, CWE-732: improper permissions, CWE-672: operation on untrusted data). Affected versions include Spectrum v6.x–v9.x and Spectrum LVP v6.x–v9.x with wireless battery modules. Exploitation could allow unauthorized access to patient data, modification of pump configuration (including drug type, flow rates, alarm settings), and denial of service. No vendor patch is available for any affected model. Baxter recommends network isolation, strong wireless encryption (WPA2/EAP-TLS), physical access controls, and monitoring for unexpected traffic.

What this means

What could happen

An attacker with network access to a Spectrum Infusion Pump could read sensitive patient data, change pump settings (drug type, flow rate, alarms), or cause the pump to stop functioning, directly impacting patient safety and medication delivery.

Who's at risk

Hospital pharmacy and clinical engineering teams managing Baxter Spectrum Infusion Pumps, particularly those with wireless-capable models running versions 6.x through 9.x. Any facility using these pumps for continuous IV medication delivery should assess their network environment and physical controls.

How it could be exploited

An attacker on the hospital network or connected via wireless can reach the pump's network interface. The vulnerability allows the attacker to intercept wireless communications (which are transmitted in clear text due to weak encryption), access configuration data, or issue commands to alter pump operation without authentication.

Prerequisites

Network access to the Spectrum Infusion Pump (wired or wireless)
No authentication required to exploit the vulnerability
Wireless module must be present and enabled on the device

Remotely exploitable via network/wirelessNo authentication requiredAffects medical safety systems (infusion delivery)No patch available from vendorWeak encryption/clear-text communicationsDefault or minimal configuration security

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (6)

6 pending

ProductAffected VersionsFix Status

Spectrum: v8.x model 35700BAX2v8.x model 35700BAX2No fix yet

Sigma Spectrum LVP: v6.x with Wireless Battery Modules v9 v11 v13 v14 v15 v16 v16D38 v17 v17D19 v20D29 to v20D32 and v22D24 to v22D28v6.x (with Wireless Battery Modules v9 | v11 | v13 | v14 | v15 | v16 | v16D38 | v17 | v17D19 | ≥ v20D29 | ≤ v20D32 | ≥ v22D24 | ≤ v22D28)No fix yet

Sigma Spectrum: v6.x model 35700BAXv6.x model 35700BAXNo fix yet

Spectrum LVP: v8.x with Wireless Battery Modules v17 v17D19 v20D29 to v20D32 and v22D24 to v22D28v8.x (with Wireless Battery Modules v17 | v17D19 | ≥ v20D29 | ≤ v20D32 | ≥ v22D24 | ≤ v22D28)No fix yet

Spectrum: v9.x model 35700BAX3v9.x model 35700BAX3No fix yet

Spectrum LVP: v9.x with Wireless Battery Module v22D19 to v22D28v9.x (with Wireless Battery Module ≥ v22D19 | ≤ v22D28)No fix yet

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGMonitor for and block unexpected outbound traffic (e.g., FTP) from the Spectrum VLAN at network boundaries

HARDENINGEnsure physical controls are in place to prevent unauthorized physical access to devices

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDReboot the Wireless Battery Module after network configuration by removing it for 10-15 seconds and re-attaching

Long-term hardening

0/2

HARDENINGIsolate Spectrum Infusion System to its own network VLAN, physically separate from other hospital systems and workstations

HARDENINGConfigure the strongest available wireless security protocols (WPA2 or WPA3 with EAP-TLS) on wireless network serving the pump

CVEs (6)

CVE-2020-12039 CVE-2020-12040 CVE-2020-12045 CVE-2020-12041 CVE-2020-12047 CVE-2020-12043

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7961670f-a01f-4625-886b-34c2a77a4e50