ICSMA-21-355-01 · Published 2022-01-27 · View on CISA ICS-CERT ↗

Fresenius Kabi Agilia Connect Infusion System (Update A)

CVSS 7.5 HIGH

Risk Summary

Successful exploitation of these vulnerabilities in system accessories could allow an attacker to gain access to sensitive information, modify settings or parameters, or perform arbitrary actions as an authenticated user.

CVEs (13)

CVE-2021-23236 CVE-2021-31562 CVE-2021-41835 CVE-2021-23196 CVE-2021-23233 CVE-2021-23207 CVE-2021-33843 CVE-2021-23195 CVE-2021-33848 CVE-2021-44464 CVE-2021-33846 CVE-2021-43355 CVE-2020-35340

Remediations

Fresenius Kabi has created new versions to address these vulnerabilities: Link+ v3.0 (D16 or later)
Fresenius Kabi has created new versions to address these vulnerabilities: VSS v1.0.3 (or later)
Fresenius Kabi has created new versions to address these vulnerabilities: Agilia Connect Pumps Wifi Module (D29 or later)
Fresenius Kabi has created new versions to address these vulnerabilities: Agilia Connect Partner v3.3.2 (or later)
Fresenius Kabi has initiated communication on this topic in April 2021 with users to inform them about availability of the new versions in corresponding countries. Contact Fresenius Kabi online or by phone at 1-800-333-6925 for more update information.
Fresenius Kabi also identified that early Link+ devices (approximatively 1,200 devices) would need hardware change to support D16 or later firmware. Until those devices can be replaced in users’ installation, Fresenius Kabi recommends users to rely on CISA recommendations below.

Affected Vendors

Fresenius Kabi

Affected Products (3)

Fresenius Kabi · Agilia Connect WiFi module of the pumps <= D25

Fresenius Kabi · Agilia Partner maintenance software <= 3.3.0

Fresenius Kabi · Agilia Link+ <= 3.0 D15

Affected Sectors

Healthcare and Public Health

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more