CVE-2022-22767

moderate-risk
Published 2022-06-02

Specific BD Pyxis™ products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis™ products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information.

Do I need to act?

-
0.23% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
ADJACENT_NETWORK / LOW complexity

Affected Products (16)

Pyxis Anesthesia Station Es Firmware
Pyxis Ciisafe Firmware
Pyxis Logistics Firmware
Pyxis Medbank Firmware
Pyxis Medstation 4000 Firmware
Pyxis Medstation Es Firmware
Pyxis Medstation Es Server Firmware
Pyxis Parassist Firmware
Pyxis Rapid Rx Firmware
Pyxis Stockstation Firmware
Pyxis Supplycenter Firmware
Pyxis Supplyroller Firmware
Pyxis Supplystation Firmware
Pyxis Supplystation Ec Firmware
Pyxis Supplystation Rf Auxiliary Firmware
Rowa Pouch Packaging Systems Firmware

Affected Vendors

Bd

References (2)

Vendor Advisory https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-cre...
Vendor Advisory https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-cre...
46
/ 100
moderate-risk
Severity 27/34 · High
Exploitability 1/34 · Minimal
Exposure 18/34 · Moderate