Security Experts:

Connect with us

Hi, what are you looking for?



1,400 Flaws Found in Outdated CareFusion Medical Systems

Researchers discovered that old versions of CareFusion’s Pyxis SupplyStation system are plagued by more than 1,400 vulnerabilities that can be remotely exploited by malicious actors.

Researchers discovered that old versions of CareFusion’s Pyxis SupplyStation system are plagued by more than 1,400 vulnerabilities that can be remotely exploited by malicious actors.

CareFusion, a subsidiary of global medical technology firm BD (Becton, Dickinson and Company), specializes in solutions designed for reducing medication errors and prevention of healthcare-associated infections. The Pyxis SupplyStation product is a healthcare inventory management system that automatically dispenses medical supplies and documents usage in real-time.CareFusion Pyxis SupplyStation

Using automated software analysis tools, researchers Billy Rios and Mike Ahmadi discovered that legacy versions of Pyxis SupplyStation are plagued by 1,418 vulnerabilities. More precisely, the flaws exist in seven different third-party software packages used by the CareFusion product.

The list of third-party components plagued by security holes includes BMC Appsight 5.7, SAP Crystal Reports 8.5, Flexera Software Installshield, Windows XP, Sybase SQL Anywhere 9, Symantec Antivirus 9 and Symantec pcAnywhere 10.5.

Of the total number of vulnerabilities, 715 are high severity issues (CVSS score between 7.0 and 10), 606 have been rated “medium severity” (CVSS score between 4.0 and 6.9), and the rest are low severity flaws.

While the vulnerabilities can be remotely exploited to compromise affected Pyxis SupplyStation products, ICS-CERT noted in an advisory that the system is designed to maintain critical functionality and provide access to medical supplies even if it’s rendered inoperable.

“These vulnerabilities have also been assessed for clinical impact by BD and DHS and represent little to no risk to patient safety,” BD wrote in its own advisory.

The affected product versions, all of which have reached end of life (EOL), are Pyxis SupplyStation 8.0, 8.1.3, 9.0, 9.1, 9.2 and 9.3 running on Windows Server 2003 and Windows XP. Versions 9.3, 9.4 and 10 operating on Windows Server 2008, Server 2012 and Windows 7 are not impacted by the security bugs.

The vendor has advised customers to upgrade legacy systems to the latest version of the platform. CareFusion customers who don’t want to upgrade the product can protect themselves against potential attacks by following a series of recommendations provided by the vendor.

Mitigation advice includes isolating affected systems from the Internet, using VPNs where remote access is required, monitoring network traffic for suspicious activity, closing unused ports, and protecting devices with firewalls.

Related: Learn More at the ICS Cyber Security Conference

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Vulnerabilities in GE’s Proficy Historian product could be exploited for espionage and to cause damage and disruption in industrial environments.


Serious vulnerabilities found in Econolite EOS traffic controller software can be exploited to control traffic lights, but the flaws remain unpatched.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


A hacktivist group has made bold claims regarding an attack on an ICS device, but industry professionals have questioned their claims.


Vulnerabilities in industrial routers made by InHand Networks could allow hackers to bypass security systems and gain access to OT networks.