OTPulse

BD Pyxis

Plan PatchCVSS 8.8ICS-CERT ICSMA-22-151-01May 31, 2022
BD
Attack path
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

BD Pyxis products contain weak credential management that allows unauthorized access via default or poorly managed credentials. The vulnerability affects multiple product lines including ES Anesthesia Station, StockStation, SupplyCenter, SupplyStation variants, MedStation variants, and related inventory management systems. Successful exploitation could allow an attacker to access electronic protected health information (ePHI), medication records, and device functions. BD is currently developing a credential management solution and pilot program for specific product versions. No vendor patches are currently available for any affected product version.

What this means
What could happen
An attacker with network access to a BD Pyxis device could exploit weak credential management to gain unauthorized access to the system and access electronic protected health information (ePHI) or medication records. This could allow manipulation of medication inventory, dispensing records, or patient safety data.
Who's at risk
Healthcare facility IT and pharmacy staff managing BD Pyxis medication dispensing and supply management systems, including anesthesia stations, supply stations, MedStations, and related inventory systems. This affects any facility using Pyxis devices for automated medication or medical supply management.
How it could be exploited
An attacker on your network locates a BD Pyxis device and attempts to authenticate using default or weak credentials stored in the system. Once authenticated, the attacker gains access to the device's functions, data, and potentially the ability to modify medication inventory or dispensing logs.
Prerequisites
  • Network access to the BD Pyxis device (adjacent network or direct connection)
  • Knowledge of default credentials or ability to discover weak credentials
  • Access to the device's authentication interface
no patch availableaffects healthcare operations and patient safetyweak credential managementdefault credentials in usesensitive health information (ePHI) at risk
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (16)
16 EOL
ProductAffected VersionsFix Status
Pyxis - BD Pyxis ES Anesthesia StationAll versionsNo fix (EOL)
Pyxis - BD Pyxis StockStationAll versionsNo fix (EOL)
Pyxis - BD Pyxis SupplyCenterAll versionsNo fix (EOL)
Pyxis - BD Pyxis SupplyRollerAll versionsNo fix (EOL)
Pyxis - BD Pyxis SupplyStationAll versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/1
WORKAROUNDDisable or replace any default credentials on BD Pyxis devices with strong, unique passwords
Schedule — requires maintenance window
0/4

Patching may require device reboot — plan for process interruption

HOTFIXWork with BD service personnel to update domain-joined server credentials on all affected Pyxis devices
HARDENINGEnable access logging and monitoring on all BD Pyxis devices to detect unauthorized authentication attempts
HARDENINGReview and restrict network access to BD Pyxis devices using firewall rules to limit connections to authorized systems only
HOTFIXParticipate in BD's credential management solution pilot program when available for your device versions
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: Pyxis - BD Pyxis ES Anesthesia Station, Pyxis - BD Pyxis StockStation, Pyxis - BD Pyxis SupplyCenter, Pyxis - BD Pyxis SupplyRoller, Pyxis - BD Pyxis SupplyStation, Pyxis - BD Rowa Pouch Packaging Systems, Pyxis - BD Pyxis CIISafe, Pyxis - BD Pyxis Logistics, Pyxis - BD Pyxis MedBank, Pyxis - BD Pyxis MedStation 4000, Pyxis - BD Pyxis MedStation ES, Pyxis - BD Pyxis ParAssist, Pyxis - BD Pyxis Rapid Rx, Pyxis - BD Pyxis SupplyStation EC, Pyxis - BD Pyxis SupplyStation RF auxiliary, Pyxis - BD Pyxis MedStation ES Server. Apply the following compensating controls:
HARDENINGImplement network segmentation to restrict access to BD Pyxis devices to authorized pharmacy and clinical staff only
View full CISA ICS-CERT advisory
API: /api/v1/advisories/c95f83bc-dd43-4f3a-a2a4-065efcbb299f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.