Baxter Life2000 Ventilation System

Plan PatchCVSS 10ICS-CERT ICSMA-24-319-01Nov 14, 2024

Baxter

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Baxter Life2000 Ventilation System contains multiple vulnerabilities (CWE-319, CWE-307, CWE-798, CWE-1263, CWE-494, CWE-1191, CWE-1318, CWE-306, CWE-778) in versions 06.08.00.00 and earlier that could allow information disclosure and disruption of device function without detection. Successful exploitation could expose protected health information and compromise device operations. No public exploitation has been reported. Baxter plans to release a follow-up announcement in Q2 2025 regarding remediation for these vulnerabilities.

What this means

What could happen

An attacker with physical or network access to an unattended Life2000 ventilator could extract sensitive patient data or disrupt ventilation function without triggering any alarms, potentially compromising patient safety and privacy.

Who's at risk

Hospitals and home healthcare providers using Baxter Life2000 ventilation systems should prioritize this advisory. Clinical staff must understand that unattended devices are at risk of data theft or operational sabotage. Biomedical engineering teams should prepare for a vendor firmware update expected in Q2 2025.

How it could be exploited

An attacker could gain unauthorized access to the Life2000 ventilator either through physical access to an unattended device or via network connectivity. Once accessed, the attacker could read protected health information stored on the device or modify device settings and functions without detection.

Prerequisites

Physical access to an unattended Life2000 ventilator, or network access to the device if networked
No authentication required for some exploitable functions

Critical CVSS score (10.0)No authentication requiredLow complexity exploitationAffects patient safety equipmentNo fix currently availableAffects protected health information

Exploitability

Some exploitation risk — EPSS score 6.2%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (1)

ProductAffected VersionsFix Status

Life2000 Ventilation System: <=06.08.00.00≤ 06.08.00.00No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGEnsure Life2000 ventilators are never left unattended in public or unsecured areas; maintain continuous physical possession and control

HARDENINGConduct a physical security review of ventilator storage and use areas to identify and eliminate opportunities for unauthorized access

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor Baxter's website for the Q2 2025 security update announcement and apply any vendor patches or firmware updates immediately upon release

Mitigations - no patch available

0/1

Life2000 Ventilation System: <=06.08.00.00 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate Life2000 ventilators from broader hospital networks where feasible, or restrict network access to authorized clinical staff only

CVEs (9)

CVE-2024-9834 CVE-2024-9832 CVE-2024-48971 CVE-2024-48973 CVE-2024-48974 CVE-2024-48970 CVE-2020-8004 CVE-2024-48966 CVE-2024-48967

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/022b9b14-e329-449e-9fdb-6b76466ee762

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.