Philips MRI 1.5T and 3T

Monitor6.2ICS-CERT ICSMA-21-313-01Nov 9, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Philips MRI 1.5T and 3T systems (software version 5.x.x) contain access control vulnerabilities (CWE-284, CWE-708, CWE-200) that allow unauthorized local access. Successful exploitation could permit an attacker to view and export patient data, modify system configuration, execute arbitrary software, and compromise imaging system integrity. The vulnerabilities stem from improper enforcement of access restrictions on the MRI operating system.

What this means

What could happen

An attacker with local access to an MRI system could read patient data, modify system settings, or execute unauthorized software on the device. This could compromise patient privacy and the integrity of imaging operations.

Who's at risk

Healthcare providers operating Philips MRI 1.5T or 3T systems with software version 5.x.x are affected. This impacts radiology departments, medical imaging centers, and hospitals that rely on these MRI systems for diagnostic imaging. Patient data confidentiality and imaging workflow integrity are at risk.

How it could be exploited

An attacker with physical or local network access to the MRI workstation could exploit insufficient access controls (CWE-284) to bypass authentication or permission checks. Once access is gained, the attacker can view and exfiltrate patient imaging data, modify system configuration, or install unauthorized software on the MRI control system.

Prerequisites

Physical or local network access to the MRI system console or workstation
No credentials required (vulnerability exists in unauthenticated local access paths)

No authentication required for local accessLow attack complexityAffects patient health records and privacyNo patch currently availableMedical device (affects patient care operations)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

MRI 1.5T:5.x.xNo fix yet

MRI 3T:5.x.xNo fix yet

Remediation & Mitigation

0/4

Do now

0/3

WORKAROUNDContact Philips service support immediately to understand which interim mitigations are applicable to your specific MRI system model and software version

HARDENINGRestrict physical access to MRI workstations and control consoles to authorized clinical and maintenance staff only

HARDENINGImplement network segmentation to isolate the MRI system from general-purpose networks and internet connectivity

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXPlan for patching: Philips has committed to a security update by October 2022; schedule maintenance window with your radiology department and Philips service team to deploy the patch when available

CVEs (3)

CVE-2021-26262 CVE-2021-26248 CVE-2021-42744

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c11fa08c-1752-4343-adca-5a18f23beafa