Baxter Welch Allyn Connex Spot Monitor Vulnerability CVE-2024-1275
Successful exploitation of CVE-2024-1275 could lead to data compromise, resulting in impact and/or delay in patient care
Summary
Successful exploitation of CVE-2024-1275 could lead to data compromise, resulting in impact and/or delay in patient care
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
Baxter has released a security update to address a vulnerability based on the use of default cryptographic keys, which affects the Baxter (formerly manufactured by Hillrom) Welch Allyn medical device Connex Spot Monitor (CSM). This vulnerability has a CVSSv3 score of 7.4. CSM allows clinicians to spot-check a patient's respiration rate, acquiring readings to help reduce transcription errors, and detect signs of deterioration.
If exploited, an attacker could modify device configurations and firmware data, resulting in impact and/or delay to patient care.
Remediation advice
Affected organisations are encouraged to review US Cybersecurity and Infrastructure Security Agency (CISA)'s advisory ICSMA-24-151-02 and apply the following update from Baxter.
- Welch Allyn Connex Spot Monitor: Version 1.5.2.01 (available October 16, 2023)
Baxter recommends users upgrade to the latest versions of their products. Information on how to update products to their new versions can be found on the Baxter disclosure page or the Hillrom disclosure page.
Baxter recommends the following workarounds to help reduce risk:
- Apply proper network and physical security controls.
- Ensure a unique encryption key is configured and applied to the product (as described in the Connex Spot Monitor Service Manual).
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 31 May 2024 4:15 pm