OTPulse

BD Diagnostic Solutions Products (Update A)

Plan PatchCVSS 8ICS-CERT ICSMA-24-352-01Dec 17, 2024
Attack path
Attack VectorAdjacent
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

BD Diagnostic Solutions products contain hard-coded default service credentials that can be used by anyone with direct access to the affected device or the local clinic network. Exploitation allows an attacker to access, modify, or delete sensitive data and patient information, or trigger system shutdown. Affected products are: BD BACTEC Blood Culture System, BD COR System, BD EpiCenter Microbiology Data Management System, BD MAX System, BD Phoenix M50 Automated Microbiology System, and BD Synapsys Informatics Solution (on NUC servers only). This vulnerability is not remotely exploitable and requires the attacker to either be physically present in the clinic or have compromised the local network. BD has developed patches and will proactively contact users to schedule remediation, with deployment expected in the first half of 2025.

What this means
What could happen
An attacker with local network access or physical presence in your clinic could use default service credentials to access, modify, or delete patient data and system configurations, or shut down diagnostic instruments and disrupt test processing.
Who's at risk
Clinical laboratory and diagnostic facility staff operating BD diagnostic instruments (BACTEC Blood Culture System, COR System, EpiCenter, MAX System, Phoenix M50, Synapsys Informatics on NUC server). This affects patient safety and data integrity since these devices are responsible for blood culture testing, microbiology analysis, and laboratory data management in hospitals and clinical labs.
How it could be exploited
An attacker must first gain direct access to your internal network (either by being physically present in your facility or by compromising the local network perimeter). Once inside, the attacker can use hard-coded default service credentials stored in the affected devices to log in and execute commands. The attacker does not need valid user credentials or elevated permissions to exploit this.
Prerequisites
  • Direct access to the local network (logical or physical presence in the clinical facility)
  • Knowledge of the default service credentials used by BD technical support teams
Default credentialsNo authentication required after device accessLow complexity exploitAffects medical device systemsImpacts patient data and system availabilityPhysical access may be required but network-based exploitation possible
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
BD BACTEC Blood Culture System: vers:all/*All versionsFix available
BD COR System: vers:all/*All versionsFix available
BD EpiCenter Microbiology Data Management System: vers:all/*All versionsFix available
BD MAX System: vers:all/*All versionsFix available
BD Phoenix M50 Automated Microbiology System: vers:all/*All versionsFix available
BD Synapsys Informatics Solution: vers:all/*All versionsFix available
Remediation & Mitigation
0/8
Do now
0/6
HARDENINGChange all default service credentials on affected BD diagnostic systems to unique, strong passwords and document these securely
HARDENINGRestrict network access to affected BD diagnostic instruments to authorized personnel only; document who has access and why
HARDENINGIsolate affected BD diagnostic devices into a separate, secure VLAN with firewall rules that block traffic from untrusted network segments
WORKAROUNDDisable RDP (Remote Desktop Protocol) on affected devices if enabled; if remote management is required, use VPN with current patches instead
HARDENINGEnable network monitoring and logging on the VLAN containing affected instruments to detect unauthorized access attempts
HARDENINGReview and restrict file share permissions on systems connected to affected BD devices; enable logging of access to these shares
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

WORKAROUNDDisconnect affected devices from the network if continuous network connectivity is not medically necessary
HOTFIXApply patch or firmware update from BD when the vendor contacts you to schedule remediation (expected first half of 2025)
View full CISA ICS-CERT advisory
API: /api/v1/advisories/21b59889-c812-44ea-94f2-5e88025a910f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

BD Diagnostic Solutions Products (Update A) | CVSS 8 - OTPulse