Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

Vulnerabilities Expose BD Infusion Therapy Devices to Attacks

CyberMDX, a research and analysis company specializing in medical device security, on Thursday revealed that its employees identified two serious vulnerabilities in infusion therapy products from medical technology firm BD.

CyberMDX, a research and analysis company specializing in medical device security, on Thursday revealed that its employees identified two serious vulnerabilities in infusion therapy products from medical technology firm BD.

The flaws affect the Alaris Gateway Workstation, which is used for mounting, powering and communicating with infusion pumps. Specifically, the weaknesses impact devices running versions 1.1.3, 1.2, 1.3.0 and 1.3.1 of the firmware. The latest versions, 1.3.2 and 1.6.1, are not impacted.

Vulnerabilities found in BD Alaris Gateway WorkstationExploitation of the flaws could affect Alaris GS (no longer supported), GH, CC and TIVA infusion pumps running software version 2.3.6 and earlier. BD pointed out that version 2.3.6 was released back in 2006.

One of the vulnerabilities, tracked as CVE-2019-10959 and classified as “critical” with a CVSS score of 10, allows an attacker with network access to the targeted device to upload a malicious firmware to the Alaris Gateway Workstation.

The second security hole, tracked as CVE-2019-10962 and rated “high severity,” allows an attacker to access the web-based interface of the Alaris Gateway Workstation simply by knowing its IP address.

An attacker could exploit these vulnerabilities to brick the workstation device or manipulate communications with infusion pumps, which, in a worst case scenario, can be used to modify drug dosages or prevent the device from administering life-saving treatment, CyberMDX said.

CyberMDX told SecurityWeek that it’s not aware of any Alaris Gateway Workstation instances exposed directly to the internet and the company believes that the chances for that are extremely low.

“BD has assessed the change in scope to this vulnerability for clinical impact and concluded that although the probability of remotely exploiting the vulnerability to the Workstation and then creating a custom, executable code that impacts the delivery of a patient’s IV infusion is theoretically possible, the probability of patient harm is unlikely to occur due to the sequence of events that must occur in a specific order by a highly trained attacker. BD has had zero reports of this issue occurring from any customer sites,” BD said in its advisory.

BD has pointed out that the vulnerable products are not sold in the United States. An advisory from the DHS’s National Cybersecurity & Communications Integration Center (NCCIC) shows that the devices are mainly used in Europe and Asia.

In addition to patches, BD released some recommendations for mitigating potential attacks.

Related: Flaws in Roche Medical Devices Can Put Patients at Risk

Related: Siemens Medical Products Affected by Wormable Windows Flaw

Related: Serious Vulnerabilities Found in Fujifilm X-Ray Devices

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.