OTPulse
FeedAboutContact

BD Alaris Infusion Central

Monitor7.3ICS-CERT ICSMA-23-047-01Feb 16, 2023
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

BD Alaris Infusion Central software versions 1.1 through 1.3.2 contain an encrypted password storage weakness (CWE-257) that could allow a local attacker with low-privilege credentials to escalate privileges and gain administrative access to the infusion management system. The vulnerability is not remotely exploitable and requires local system access. No public exploits are known. BD is reaching out directly to affected customers; no vendor patch is available.

What this means
What could happen
An attacker with local access and low-level credentials could change passwords or gain elevated access to the Alaris Infusion Central server, potentially allowing them to modify infusion pump settings, dosing parameters, or interrupt drug delivery workflows.
Who's at risk
Hospital pharmacy and clinical staff who depend on the BD Alaris Infusion Central system to manage infusion pump networks and drug delivery workflows. Any organization using Alaris Infusion Central software versions 1.1 through 1.3.2 is affected.
How it could be exploited
An attacker must have physical or local access to the Alaris Infusion Central server and valid low-privilege credentials (such as a staff account). They could then exploit weak password storage or privilege escalation to gain administrative control over the system and modify infusion configurations or data.
Prerequisites
  • Local or physical access to the Alaris Infusion Central server
  • Valid low-privilege user credentials (non-administrator account)
  • Knowledge of system running Alaris Infusion Central software version 1.1 through 1.3.2
No patch availableAffects safety-critical systems (infusion delivery)Requires valid credentials but low privilege level
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
Alaris Infusion Central software:≥ 1.1 | ≤ 1.3.2No fix (EOL)
Remediation & Mitigation
0/3
Do now
0/2
HARDENINGChange Alaris Infusion Central passwords periodically and enforce strong password policies
HARDENINGImplement strict physical access controls; restrict access to the Alaris Infusion Central server to authorized administrators only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor and audit login attempts and administrative actions on the Alaris Infusion Central server
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/fc448120-47c7-427f-a648-3dab397fc59e
BD Alaris Infusion Central | CVSS 7.3 - OTPulse