Cleartext transmission of sensitive information in Baxter Phoenix Hemodialysis Delivery System
| Risk | Medium |
| Patch available | NO |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-12048 |
| CWE-ID | CWE-319 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Phoenix Hemodialysis Delivery System Hardware solutions / Medical equipment |
| Vendor | Baxter |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Cleartext transmission of sensitive information
EUVDB-ID: #VU29153
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-12048
CWE-ID:
CWE-319 - Cleartext Transmission of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to software uses insecure communication channel to transmit sensitive information. A remote attacker can gain access to sensitive data, such as treatment and prescription data sent between the Phoenix system and the Exalis dialysis data management tool.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsPhoenix Hemodialysis Delivery System: 3.36 - 3.40
CPE2.3
- cpe:2.3:h:baxter:phoenix_hemodialysis_delivery_system:3.40:*:*:*:*:*:*:*
- Full software list in CPE2.3 format available after registration.
http://ics-cert.us-cert.gov/advisories/icsma-20-170-03
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
