OTPulse

BD Pyxis

MonitorCVSS 7ICS-CERT ICSMA-22-062-01Mar 3, 2022
BD
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityHigh
User InteractionNone needed
Summary

BD Pyxis devices contain hard-coded credentials that could allow an attacker with physical access to authenticate to the system and access electronic protected health information (ePHI), medication inventory data, and potentially alter medication dispensing records. The vulnerability affects a broad range of Pyxis product family members used for medication and supply management in healthcare facilities. BD states it is strengthening credential management capabilities but has not yet released patches for any affected products. The vulnerability requires physical access to a device and is not remotely exploitable.

What this means
What could happen
An attacker with physical access to a Pyxis device could use hard-coded credentials to gain unauthorized access to patient medication records and electronic protected health information (ePHI), potentially enabling theft of sensitive data or tampering with inventory systems that directly affect medication dispensing.
Who's at risk
Healthcare facilities operating any BD Pyxis medication dispensing, inventory, or supply management device are affected. This includes anesthesia stations, medication stations, supply centers, and IV preparation systems. Critical for pharmacy operations, medication safety, and compliance with patient data protection requirements (HIPAA).
How it could be exploited
An attacker must gain physical access to a BD Pyxis device, then use hard-coded credentials embedded in the system to log in and access the management interface. Once authenticated, the attacker can view and potentially modify medication inventory, patient records, and system configuration without being detected.
Prerequisites
  • Physical access to the Pyxis device
  • Knowledge of hard-coded credentials (default or embedded in firmware)
  • No specialized tools or legitimate user credentials required
Hard-coded credentials in firmwareAccess to ePHI and sensitive medication dataNo vendor patch available for any affected productDifficult to detect unauthorized access without monitoringAffects medication dispensing and patient safety operations
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (24)
24 EOL
ProductAffected VersionsFix Status
Pyxis - BD Pyxis Anesthesia Station ESAll versionsNo fix (EOL)
Pyxis - BD Pyxis Med Link FamilyAll versionsNo fix (EOL)
Pyxis - BD Pyxis MedBankAll versionsNo fix (EOL)
Pyxis - BD Pyxis MedStation ESAll versionsNo fix (EOL)
Pyxis - BD Pyxis ParAssistAll versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/5
HARDENINGRestrict physical access to BD Pyxis devices to authorized personnel only—implement badge readers, restricted room access, or direct supervision of maintenance areas
HARDENINGPlace all affected BD Pyxis devices on an isolated VLAN with firewall rules that restrict network traffic to only trusted management hosts and authorized network connections
HARDENINGEnable comprehensive logging and alerting on all network connections to Pyxis devices and review logs regularly for unauthorized access attempts
HARDENINGEnforce strong access controls and maintain strict inventory of all Pyxis system credentials issued to authorized users; rotate credentials regularly and disable unused accounts
WORKAROUNDEnsure the BD Pyxis Security Module is deployed and configured for automated patching and virus definition updates across all affected devices
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor BD security bulletins and contact your BD support representative to request firmware updates that strengthen credential management capabilities
View full CISA ICS-CERT advisory
API: /api/v1/advisories/c9d6516d-44e8-40cd-a719-6100e0a59086

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.