Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

Vulnerabilities Expose BD Infusion Therapy Devices to Attacks

CyberMDX, a research and analysis company specializing in medical device security, on Thursday revealed that its employees identified two serious vulnerabilities in infusion therapy products from medical technology firm BD.

CyberMDX, a research and analysis company specializing in medical device security, on Thursday revealed that its employees identified two serious vulnerabilities in infusion therapy products from medical technology firm BD.

The flaws affect the Alaris Gateway Workstation, which is used for mounting, powering and communicating with infusion pumps. Specifically, the weaknesses impact devices running versions 1.1.3, 1.2, 1.3.0 and 1.3.1 of the firmware. The latest versions, 1.3.2 and 1.6.1, are not impacted.

Vulnerabilities found in BD Alaris Gateway WorkstationExploitation of the flaws could affect Alaris GS (no longer supported), GH, CC and TIVA infusion pumps running software version 2.3.6 and earlier. BD pointed out that version 2.3.6 was released back in 2006.

One of the vulnerabilities, tracked as CVE-2019-10959 and classified as “critical” with a CVSS score of 10, allows an attacker with network access to the targeted device to upload a malicious firmware to the Alaris Gateway Workstation.

The second security hole, tracked as CVE-2019-10962 and rated “high severity,” allows an attacker to access the web-based interface of the Alaris Gateway Workstation simply by knowing its IP address.

An attacker could exploit these vulnerabilities to brick the workstation device or manipulate communications with infusion pumps, which, in a worst case scenario, can be used to modify drug dosages or prevent the device from administering life-saving treatment, CyberMDX said.

CyberMDX told SecurityWeek that it’s not aware of any Alaris Gateway Workstation instances exposed directly to the internet and the company believes that the chances for that are extremely low.

“BD has assessed the change in scope to this vulnerability for clinical impact and concluded that although the probability of remotely exploiting the vulnerability to the Workstation and then creating a custom, executable code that impacts the delivery of a patient’s IV infusion is theoretically possible, the probability of patient harm is unlikely to occur due to the sequence of events that must occur in a specific order by a highly trained attacker. BD has had zero reports of this issue occurring from any customer sites,” BD said in its advisory.

BD has pointed out that the vulnerable products are not sold in the United States. An advisory from the DHS’s National Cybersecurity & Communications Integration Center (NCCIC) shows that the devices are mainly used in Europe and Asia.

In addition to patches, BD released some recommendations for mitigating potential attacks.

Related: Flaws in Roche Medical Devices Can Put Patients at Risk

Related: Siemens Medical Products Affected by Wormable Windows Flaw

Related: Serious Vulnerabilities Found in Fujifilm X-Ray Devices

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet