BD Diagnostic Solutions Products (Update A)

Risk Summary

Successful exploitation of this vulnerability could allow an attacker to use default credentials to access, modify, or delete sensitive data, which could impact the availability of the system or cause a system shutdown.

CVEs (1)

Remediations

• For each product in scope, a remediation solution has been developed by BD and is in the process of deployment through BD's Field Service Organization. A BD representative will proactively contact all impacted users to schedule remediation. BD expects to schedule the majority of product users in the first half of 2025.
• BD has already communicated to users with affected products and is working with them to update default credentials on affected products. For this vulnerability to be exploited, a threat actor will need direct access, whether logical or physical, into the clinical setting.
• Note: BD Synapsys Informatics Solution is only in scope of this vulnerability when installed on a NUC server. BD Synapsys Informatics Solution installed on a user-provided virtual machine or on the BD Kiestra SCU hardware is not in scope.
• The BD Diagnostic Solutions products' default credentials are intended for use by BD technical support teams for the above-mentioned BD products within the clinical setting. A threat actor would have to compromise the local network and, in some cases, may also need to be physically present at the instrument in order to use these product service credentials.
• The BD RSS platform has not been impacted by and is not in scope of this vulnerability.
• BD strongly recommends users to execute actions which strengthen the controls around the logical and physical environments where Diagnostic Solutions instruments are located. The following best practices are recommended for maintaining strong security measures to protect customer networks and associated medical devices including:
• Ensure access to potentially vulnerable devices is limited to authorized personnel
• Inform authorized users of issue, and ensure all relevant passwords are tightly controlled
• Monitor and log network traffic attempting to reach medical device management environments for suspicious activity
• Where possible, isolate affected devices in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed
• Impacted devices do not require use of RDP ports and these should be disabled or blocked if enabled
• Ensure permissions on file shares are appropriately established and enforced, and monitor and log access for evidence of suspicious activity
• Disconnect devices from the network if connectivity is not necessary
• For more information, refer to BD's security bulletin.

Affected Vendors

Affected Products (6)

Affected Sectors

Healthcare and Public Health