Baxter Sigma Spectrum Infusion Pump (Update A)

MonitorCVSS 7.5ICS-CERT ICSMA-22-251-01Sep 8, 2022

Baxter

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Baxter Sigma Spectrum and Spectrum IQ infusion pumps contain multiple vulnerabilities related to insecure network services and data protection. CVE-2022-26392 allows unauthenticated access via Telnet or FTP to read and modify device configuration and firmware. CVE-2022-26393 is a format string vulnerability in Wireless Battery Module firmware allowing code execution. CVE-2022-26394 (addressed in Spectrum IQ) and CVE-2022-26390 (data erasure procedures) are related to authentication and secure decommissioning. These vulnerabilities could allow an attacker on the network to access patient data, alter drug delivery parameters, or compromise device integrity.

What this means

What could happen

An attacker with network access to an infusion pump could read sensitive patient data stored on the device, modify system configuration or firmware, or interfere with drug delivery parameters—potentially altering medication doses or stopping treatment flow.

Who's at risk

Healthcare facilities operating Baxter Sigma Spectrum or Spectrum IQ infusion pumps, particularly those with Wireless Battery Modules in versions 6.x, 8.x, or 9.x. This affects any institution using these devices for inpatient medication delivery, including ICUs, oncology, and general medical units.

How it could be exploited

An attacker on the same network segment as a Sigma Spectrum or Spectrum IQ pump could connect via Telnet or FTP (unencrypted protocols) without authentication, or exploit a format string vulnerability in Wireless Battery Module firmware to execute commands and access or modify device memory containing patient data and operational settings.

Prerequisites

Network access (wired or wireless) to the infusion pump or Wireless Battery Module
Telnet (port 23) or FTP (port 21) enabled on the device (default configuration)
No authentication required for Telnet/FTP access on affected versions

Remotely exploitable via network accessNo authentication required (Telnet/FTP)Affects medical device (patient safety risk)No vendor patch available for most affected versionsAffects drug delivery configuration

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (6)

6 pending

ProductAffected VersionsFix Status

Spectrum IQ: (v9.x) model 35700BAX39.x model 35700BAX3No fix yet

Spectrum IQ LVP: (v9.x) with Wireless Battery Modules v22D19 to v22D289.x (with Wireless Battery Modules ≥ 22D19 | ≤ v22D28)No fix yet

Sigma Spectrum: v8.x model 35700BAX28.x model 35700BAX2No fix yet

Sigma Spectrum: v6.x model 35700BAX6.x model 35700BAXNo fix yet

Sigma Spectrum LVP: v8.x Wireless Battery Modules v17 v17D19 v20D29 to v20D32 and v22D24 to v22D288.x (Wireless Battery Modules v17 | v17D19 ≥ 20D29 | ≤ 20D32 | ≥ 22D24 | ≤ 22D28)No fix yet

Sigma Spectrum LVP: v6.x Wireless Battery Modules v16 v16D38 v17 v17D19 v20D29 to v20D32 and v22D24 to v22D286.x (Wireless Battery Modules (16 | 16D38 | 17 | 17D19 | ≥ 20D29 | ≤ v20D32 | ≥ 22D24 | ≤ v22D28)No fix yet

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGIsolate infusion pumps to a dedicated, segmented network and restrict access to only authorized medical devices and workstations using firewall rules.

WORKAROUNDDisable Telnet and FTP services on all affected pumps immediately if possible through local configuration menus.

WORKAROUNDImplement network access controls to block Telnet (port 23) and FTP (port 21) traffic to/from infusion pumps at the network edge.

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXApply Wireless Battery Module firmware version 20D30 or later (when available) to address format string vulnerability (CVE-2022-26393).

WORKAROUNDEnsure all Wireless Battery Modules are securely erased (using Baxter's decommissioning procedure) before transferring pumps to other facilities or decommissioning devices.

Long-term hardening

0/1

HARDENINGMaintain an inventory of all Sigma Spectrum and Spectrum IQ pump serial numbers and Wireless Battery Module versions to track affected devices.

CVEs (4)

CVE-2022-26390 CVE-2022-26392 CVE-2022-26393 CVE-2022-26394

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1e356d93-a161-4fc8-b309-7880fc242db3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.