Security News > 2022 > March > Over 100,000 medical infusion pumps vulnerable to years old critical bug

Over 100,000 medical infusion pumps vulnerable to years old critical bug
2022-03-02 23:27

Data collected from more than 200,000 network-connected medical infusion pumps used to deliver medication and fluids to patients shows that 75% of them are running with known security issues that attackers could exploit.

Using data collected from customers, researchers at Palo Alto Networks analyzed the security state of over 200,000 infusion pumps and found that between 30,000 and at least 100,000 of them are vulnerable to critical security issues.

The most prevalent critical-severity flaw encountered is CVE-2019-12255, a memory corruption bug in the VxWorks real-time operating system used for embedded devices, including infusion pump systems.

According to data from Palo Alto Networks, the flaw is present in 52% of the analyzed infusion pumps, which translates into more than 104,000 devices.

No patches are available for these vulnerabilities but Baxter provided a set of mitigations designed to lower the risk of exploiting them and recommended switching to the newer Spectrum IQ Infusion system that is not affected by the issues above.

The researchers note that not all the vulnerabilities currently affecting the analyzed infusion pumps are practical for remote attacks but they are a "Risk to the general security of healthcare organizations and the safety of patients."


News URL

https://www.bleepingcomputer.com/news/security/over-100-000-medical-infusion-pumps-vulnerable-to-years-old-critical-bug/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2019-08-09 CVE-2019-12255 Classic Buffer Overflow vulnerability in multiple products
Wind River VxWorks has a Buffer Overflow in the TCP component (issue 1 of 4).
network
low complexity
windriver netapp sonicwall siemens belden CWE-120
critical
9.8