GE Healthcare Imaging and Ultrasound Products

Act Now9.8ICS-CERT ICSMA-20-343-01Dec 8, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

GE Healthcare diagnostic imaging and ultrasound products contain authentication weaknesses that allow an attacker with network access to gain remote access with privileges comparable to GE remote service accounts. Affected products include MRI systems (Signa, Brivo, Optima MR), ultrasound devices (LOGIQ, Vivid, Voluson), CT scanners, X-ray systems, nuclear medicine equipment, and mammography devices across all versions and revisions listed. Successful exploitation could expose patient health information (PHI) or allow arbitrary code execution, potentially disrupting imaging operations or allowing manipulation of patient data. GE states there is no software patch available but recommends firewall configuration hardening, default password changes, and adherence to clinical network security best practices.

What this means

What could happen

An attacker with network access to affected GE diagnostic imaging devices could gain remote access comparable to GE service credentials, potentially exposing patient health information or running arbitrary code that disrupts imaging operations.

Who's at risk

All GE Healthcare imaging and ultrasound equipment in diagnostic departments is affected, including MRI systems (Signa, Brivo, Optima MR), ultrasound systems (LOGIQ, Vivid, Voluson, EchoPAC), CT scanners (LightSpeed, Optima CT, BrightSpeed, Discovery CT, Revolution), X-ray systems (Innova, Optima IGS, Definium, Brivo XR, Precision), nuclear medicine systems (Discovery NM, Brivio NM, Infinia, Ventri), and mammography devices (Senographe, Seno). Any healthcare facility using these devices is affected.

How it could be exploited

An attacker on the hospital network could target default credentials or weak authentication mechanisms on imaging devices (MRI, ultrasound, CT, X-ray, nuclear medicine systems). Once access is gained, the attacker could execute commands with service-level privileges to read/modify patient data or disrupt device availability.

Prerequisites

Network access to the healthcare delivery organization's network where imaging devices are located
Ability to reach affected devices on the clinical network (no requirement to be on the same subnet if routing permits)

Remotely exploitableNo authentication required (default credentials)Low attack complexityNo patch availableAffects healthcare delivery systems and patient dataWide deployment across hospital diagnostic imaging departments

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (106)

106 pending

ProductAffected VersionsFix Status

3.0T Signa Hdxt: HD 16 | HD23HD 16 | HD23No fix yet

3.0T Signa HDXx: HD 16 | HD23HD 16 | HD23No fix yet

1.5T Brivo MR355: SV20.1 | SV23.0SV20.1 | SV23.0No fix yet

Optima MR360: SV20.1 | SV23.0SV20.1 | SV23.0No fix yet

1.5T Signa Hdx: HD 16 | HD23HD 16 | HD23No fix yet

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGChange default passwords on all affected imaging devices to strong, unique credentials

WORKAROUNDImplement firewall rules to restrict access to imaging device management ports to authorized clinical engineering and IT staff only

WORKAROUNDApply GE-provided mitigations available on the GE Healthcare Product Security Portal for your specific device models and software versions

Long-term hardening

0/2

HARDENINGSegment imaging devices onto a separate VLAN with strict controls on which stations and services can communicate with them

HARDENINGReview and enforce clinical network security best practices as recommended by GE (e.g., network monitoring, access controls, system hardening)

CVEs (2)

CVE-2020-25175 CVE-2020-25179

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f77a2e80-9a12-406e-a3a9-08f32d55b9e1