Philips Patient Information Center iX (PIC iX) and Efficia CM Series
Monitor6.5ICS-CERT ICSMA-21-322-02Nov 18, 2021
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Philips Patient Information Center iX (PIC iX) and Efficia CM Series cardiac monitors contain vulnerabilities in input validation (CWE-20), weak cryptographic handling (CWE-321, CWE-327) that allow an attacker on the network to access patient data and cause temporary denial of service of the central monitoring display. Exploitation does not enable modification of device settings or point-of-care configurations. The Efficia CM Series (revisions A.01 through 4.0) has no fix available. PIC iX partial remediation was released in Q3 2021 (version C.03.06) for one vulnerability; Philips planned to address remaining vulnerabilities by end of Q2 2023.
What this means
What could happen
An attacker with network access to these monitoring systems could view sensitive patient data and temporarily disable the ability to see vital signs at the central nursing station, disrupting clinical monitoring. The attacker cannot alter device settings or change treatment parameters on bedside monitors.
Who's at risk
Hospital clinical engineering and IT teams responsible for patient monitoring infrastructure. This affects Philips bedside cardiac monitors (Efficia CM Series) and centralized patient data display systems (PIC iX) used in critical care, telemetry, and ICU settings to view real-time vital signs from multiple patients.
How it could be exploited
An attacker on the hospital network could send specially crafted network packets to the PIC iX central station or Efficia CM bedside monitors to trigger a vulnerability in input validation (CWE-20) or weak cryptographic practices (CWE-327). This causes the system to either expose data or become unresponsive, blocking the display of vital signs.
Prerequisites
- Network access to the Patient Information Center iX or Efficia CM Series on the hospital LAN
- No authentication required
- Device must be running affected firmware revisions (PIC iX B.02, C.02, C.03 or Efficia CM A.01 through C.0x, 4.0)
remotely exploitableno authentication requiredaffects clinical monitoring systemsno patch available for Efficia CM Serieslow complexity exploitation
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
1 with fix1 EOL
ProductAffected VersionsFix Status
Patient Information Center iX (PIC iX):B.02 | C.02 | C.03C.03.06
Efficia CM Series: Revisions A.01 to C.0x and 4.0A.01 ≤ C.0x | 4.0No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDWork with Philips to verify your system configurations and determine which CVEs apply to your specific deployed versions
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
Patient Information Center iX (PIC iX):
HOTFIXFor PIC iX: Update to version C.03.06 or later (available in Q3 2021) to fix CVE-2021-43548; contact Philips support for timeline on remaining CVE fixes (CVE-2021-43552, CVE-2021-43550) planned for Q2 2023
All products
HOTFIXFor Efficia CM Series: Contact Philips service support regarding patch availability and upgrade options; no public timeline provided for vulnerability remediation
Mitigations - no patch available
0/2Efficia CM Series: Revisions A.01 to C.0x and 4.0 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGSegment the hospital network so PIC iX and Efficia CM Series devices are on a dedicated clinical network with firewall rules that restrict access to authorized stations and data aggregators only
HARDENINGEnsure all Philips products are operated within Philips authorized specifications, using only Philips-approved software versions, configurations, and security settings
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e2de05af-874a-4137-aa35-8750c373071e