Baxter Sigma Spectrum Infusion Pump (Update A)
Monitor7.5ICS-CERT ICSMA-22-251-01Sep 8, 2022
Attack VectorAdjacent
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
Baxter Sigma Spectrum and Spectrum IQ infusion pumps contain multiple vulnerabilities related to insecure network services and data protection. CVE-2022-26392 allows unauthenticated access via Telnet or FTP to read and modify device configuration and firmware. CVE-2022-26393 is a format string vulnerability in Wireless Battery Module firmware allowing code execution. CVE-2022-26394 (addressed in Spectrum IQ) and CVE-2022-26390 (data erasure procedures) are related to authentication and secure decommissioning. These vulnerabilities could allow an attacker on the network to access patient data, alter drug delivery parameters, or compromise device integrity.
What this means
What could happen
An attacker with network access to an infusion pump could read sensitive patient data stored on the device, modify system configuration or firmware, or interfere with drug delivery parameters—potentially altering medication doses or stopping treatment flow.
Who's at risk
Healthcare facilities operating Baxter Sigma Spectrum or Spectrum IQ infusion pumps, particularly those with Wireless Battery Modules in versions 6.x, 8.x, or 9.x. This affects any institution using these devices for inpatient medication delivery, including ICUs, oncology, and general medical units.
How it could be exploited
An attacker on the same network segment as a Sigma Spectrum or Spectrum IQ pump could connect via Telnet or FTP (unencrypted protocols) without authentication, or exploit a format string vulnerability in Wireless Battery Module firmware to execute commands and access or modify device memory containing patient data and operational settings.
Prerequisites
- Network access (wired or wireless) to the infusion pump or Wireless Battery Module
- Telnet (port 23) or FTP (port 21) enabled on the device (default configuration)
- No authentication required for Telnet/FTP access on affected versions
Remotely exploitable via network accessNo authentication required (Telnet/FTP)Affects medical device (patient safety risk)No vendor patch available for most affected versionsAffects drug delivery configuration
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (6)
6 pending
ProductAffected VersionsFix Status
Spectrum IQ: (v9.x) model 35700BAX39.x model 35700BAX3No fix yet
Spectrum IQ LVP: (v9.x) with Wireless Battery Modules v22D19 to v22D289.x (with Wireless Battery Modules ≥ 22D19 | ≤ v22D28)No fix yet
Sigma Spectrum: v8.x model 35700BAX28.x model 35700BAX2No fix yet
Sigma Spectrum: v6.x model 35700BAX6.x model 35700BAXNo fix yet
Sigma Spectrum LVP: v8.x Wireless Battery Modules v17 v17D19 v20D29 to v20D32 and v22D24 to v22D288.x (Wireless Battery Modules v17 | v17D19 ≥ 20D29 | ≤ 20D32 | ≥ 22D24 | ≤ 22D28)No fix yet
Sigma Spectrum LVP: v6.x Wireless Battery Modules v16 v16D38 v17 v17D19 v20D29 to v20D32 and v22D24 to v22D286.x (Wireless Battery Modules (16 | 16D38 | 17 | 17D19 | ≥ 20D29 | ≤ v20D32 | ≥ 22D24 | ≤ v22D28)No fix yet
Remediation & Mitigation
0/6
Do now
0/3HARDENINGIsolate infusion pumps to a dedicated, segmented network and restrict access to only authorized medical devices and workstations using firewall rules.
WORKAROUNDDisable Telnet and FTP services on all affected pumps immediately if possible through local configuration menus.
WORKAROUNDImplement network access controls to block Telnet (port 23) and FTP (port 21) traffic to/from infusion pumps at the network edge.
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXApply Wireless Battery Module firmware version 20D30 or later (when available) to address format string vulnerability (CVE-2022-26393).
WORKAROUNDEnsure all Wireless Battery Modules are securely erased (using Baxter's decommissioning procedure) before transferring pumps to other facilities or decommissioning devices.
Long-term hardening
0/1HARDENINGMaintain an inventory of all Sigma Spectrum and Spectrum IQ pump serial numbers and Wireless Battery Module versions to track affected devices.
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/1e356d93-a161-4fc8-b309-7880fc242db3