BD Pyxis

Monitor7ICS-CERT ICSMA-22-062-01Mar 3, 2022

Attack VectorLocal

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

BD Pyxis devices contain hard-coded credentials that could allow an attacker with physical access to authenticate to the system and access electronic protected health information (ePHI), medication inventory data, and potentially alter medication dispensing records. The vulnerability affects a broad range of Pyxis product family members used for medication and supply management in healthcare facilities. BD states it is strengthening credential management capabilities but has not yet released patches for any affected products. The vulnerability requires physical access to a device and is not remotely exploitable.

What this means

What could happen

An attacker with physical access to a Pyxis device could use hard-coded credentials to gain unauthorized access to patient medication records and electronic protected health information (ePHI), potentially enabling theft of sensitive data or tampering with inventory systems that directly affect medication dispensing.

Who's at risk

Healthcare facilities operating any BD Pyxis medication dispensing, inventory, or supply management device are affected. This includes anesthesia stations, medication stations, supply centers, and IV preparation systems. Critical for pharmacy operations, medication safety, and compliance with patient data protection requirements (HIPAA).

How it could be exploited

An attacker must gain physical access to a BD Pyxis device, then use hard-coded credentials embedded in the system to log in and access the management interface. Once authenticated, the attacker can view and potentially modify medication inventory, patient records, and system configuration without being detected.

Prerequisites

Physical access to the Pyxis device
Knowledge of hard-coded credentials (default or embedded in firmware)
No specialized tools or legitimate user credentials required

Hard-coded credentials in firmwareAccess to ePHI and sensitive medication dataNo vendor patch available for any affected productDifficult to detect unauthorized access without monitoringAffects medication dispensing and patient safety operations

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (24)

24 EOL

ProductAffected VersionsFix Status

Pyxis - BD Pyxis Anesthesia Station ESAll versionsNo fix (EOL)

Pyxis - BD Pyxis Med Link FamilyAll versionsNo fix (EOL)

Pyxis - BD Pyxis MedBankAll versionsNo fix (EOL)

Pyxis - BD Pyxis MedStation ESAll versionsNo fix (EOL)

Pyxis - BD Pyxis ParAssistAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/5

HARDENINGRestrict physical access to BD Pyxis devices to authorized personnel only—implement badge readers, restricted room access, or direct supervision of maintenance areas

HARDENINGPlace all affected BD Pyxis devices on an isolated VLAN with firewall rules that restrict network traffic to only trusted management hosts and authorized network connections

HARDENINGEnable comprehensive logging and alerting on all network connections to Pyxis devices and review logs regularly for unauthorized access attempts

HARDENINGEnforce strong access controls and maintain strict inventory of all Pyxis system credentials issued to authorized users; rotate credentials regularly and disable unused accounts

WORKAROUNDEnsure the BD Pyxis Security Module is deployed and configured for automated patching and virus definition updates across all affected devices

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor BD security bulletins and contact your BD support representative to request firmware updates that strengthen credential management capabilities

CVEs (1)

CVE-2022-22766

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c9d6516d-44e8-40cd-a719-6100e0a59086