Philips Patient Information Center iX (PIC iX) and Efficia CM Series

MonitorCVSS 6.5ICS-CERT ICSMA-21-322-02Nov 18, 2021

Philips

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Philips Patient Information Center iX (PIC iX) and Efficia CM Series cardiac monitors contain vulnerabilities in input validation (CWE-20), weak cryptographic handling (CWE-321, CWE-327) that allow an attacker on the network to access patient data and cause temporary denial of service of the central monitoring display. Exploitation does not enable modification of device settings or point-of-care configurations. The Efficia CM Series (revisions A.01 through 4.0) has no fix available. PIC iX partial remediation was released in Q3 2021 (version C.03.06) for one vulnerability; Philips planned to address remaining vulnerabilities by end of Q2 2023.

What this means

What could happen

An attacker with network access to these monitoring systems could view sensitive patient data and temporarily disable the ability to see vital signs at the central nursing station, disrupting clinical monitoring. The attacker cannot alter device settings or change treatment parameters on bedside monitors.

Who's at risk

Hospital clinical engineering and IT teams responsible for patient monitoring infrastructure. This affects Philips bedside cardiac monitors (Efficia CM Series) and centralized patient data display systems (PIC iX) used in critical care, telemetry, and ICU settings to view real-time vital signs from multiple patients.

How it could be exploited

An attacker on the hospital network could send specially crafted network packets to the PIC iX central station or Efficia CM bedside monitors to trigger a vulnerability in input validation (CWE-20) or weak cryptographic practices (CWE-327). This causes the system to either expose data or become unresponsive, blocking the display of vital signs.

Prerequisites

Network access to the Patient Information Center iX or Efficia CM Series on the hospital LAN
No authentication required
Device must be running affected firmware revisions (PIC iX B.02, C.02, C.03 or Efficia CM A.01 through C.0x, 4.0)

remotely exploitableno authentication requiredaffects clinical monitoring systemsno patch available for Efficia CM Serieslow complexity exploitation

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

Patient Information Center iX (PIC iX):B.02 | C.02 | C.03C.03.06

Efficia CM Series: Revisions A.01 to C.0x and 4.0A.01 ≤ C.0x | 4.0No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDWork with Philips to verify your system configurations and determine which CVEs apply to your specific deployed versions

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Patient Information Center iX (PIC iX):

HOTFIXFor PIC iX: Update to version C.03.06 or later (available in Q3 2021) to fix CVE-2021-43548; contact Philips support for timeline on remaining CVE fixes (CVE-2021-43552, CVE-2021-43550) planned for Q2 2023

All products

HOTFIXFor Efficia CM Series: Contact Philips service support regarding patch availability and upgrade options; no public timeline provided for vulnerability remediation

Mitigations - no patch available

0/2

Efficia CM Series: Revisions A.01 to C.0x and 4.0 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment the hospital network so PIC iX and Efficia CM Series devices are on a dedicated clinical network with firewall rules that restrict access to authorized stations and data aggregators only

HARDENINGEnsure all Philips products are operated within Philips authorized specifications, using only Philips-approved software versions, configurations, and security settings

CVEs (3)

CVE-2021-43548 CVE-2021-43552 CVE-2021-43550

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e2de05af-874a-4137-aa35-8750c373071e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.