BD Pyxis

Plan Patch8.8ICS-CERT ICSMA-22-151-01May 31, 2022

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

BD Pyxis products contain weak credential management that allows unauthorized access via default or poorly managed credentials. The vulnerability affects multiple product lines including ES Anesthesia Station, StockStation, SupplyCenter, SupplyStation variants, MedStation variants, and related inventory management systems. Successful exploitation could allow an attacker to access electronic protected health information (ePHI), medication records, and device functions. BD is currently developing a credential management solution and pilot program for specific product versions. No vendor patches are currently available for any affected product version.

What this means

What could happen

An attacker with network access to a BD Pyxis device could exploit weak credential management to gain unauthorized access to the system and access electronic protected health information (ePHI) or medication records. This could allow manipulation of medication inventory, dispensing records, or patient safety data.

Who's at risk

Healthcare facility IT and pharmacy staff managing BD Pyxis medication dispensing and supply management systems, including anesthesia stations, supply stations, MedStations, and related inventory systems. This affects any facility using Pyxis devices for automated medication or medical supply management.

How it could be exploited

An attacker on your network locates a BD Pyxis device and attempts to authenticate using default or weak credentials stored in the system. Once authenticated, the attacker gains access to the device's functions, data, and potentially the ability to modify medication inventory or dispensing logs.

Prerequisites

Network access to the BD Pyxis device (adjacent network or direct connection)
Knowledge of default credentials or ability to discover weak credentials
Access to the device's authentication interface

no patch availableaffects healthcare operations and patient safetyweak credential managementdefault credentials in usesensitive health information (ePHI) at risk

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (16)

16 EOL

ProductAffected VersionsFix Status

Pyxis - BD Pyxis ES Anesthesia StationAll versionsNo fix (EOL)

Pyxis - BD Pyxis StockStationAll versionsNo fix (EOL)

Pyxis - BD Pyxis SupplyCenterAll versionsNo fix (EOL)

Pyxis - BD Pyxis SupplyRollerAll versionsNo fix (EOL)

Pyxis - BD Pyxis SupplyStationAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDDisable or replace any default credentials on BD Pyxis devices with strong, unique passwords

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXWork with BD service personnel to update domain-joined server credentials on all affected Pyxis devices

HARDENINGEnable access logging and monitoring on all BD Pyxis devices to detect unauthorized authentication attempts

HARDENINGReview and restrict network access to BD Pyxis devices using firewall rules to limit connections to authorized systems only

HOTFIXParticipate in BD's credential management solution pilot program when available for your device versions

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Pyxis - BD Pyxis ES Anesthesia Station, Pyxis - BD Pyxis StockStation, Pyxis - BD Pyxis SupplyCenter, Pyxis - BD Pyxis SupplyRoller, Pyxis - BD Pyxis SupplyStation, Pyxis - BD Rowa Pouch Packaging Systems, Pyxis - BD Pyxis CIISafe, Pyxis - BD Pyxis Logistics, Pyxis - BD Pyxis MedBank, Pyxis - BD Pyxis MedStation 4000, Pyxis - BD Pyxis MedStation ES, Pyxis - BD Pyxis ParAssist, Pyxis - BD Pyxis Rapid Rx, Pyxis - BD Pyxis SupplyStation EC, Pyxis - BD Pyxis SupplyStation RF auxiliary, Pyxis - BD Pyxis MedStation ES Server. Apply the following compensating controls:

HARDENINGImplement network segmentation to restrict access to BD Pyxis devices to authorized pharmacy and clinical staff only

CVEs (1)

CVE-2022-22767

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c95f83bc-dd43-4f3a-a2a4-065efcbb299f