#VU20897 Session Fixation in Pyxis Enterprise Server and Pyxis ES

Published: 2019-09-06

Vulnerability identifier: #VU20897

Vulnerability risk: Low


CVE-ID: CVE-2019-13517


Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Pyxis Enterprise Server
Hardware solutions / Medical equipment
Pyxis ES
Hardware solutions / Medical equipment

Vendor: Becton, Dickinson and Company (BD)


The vulnerability allows a local attacker to steal authenticated sessions.

The vulnerability exists due to the exists access privileges are not restricted in coordination with the expiration of access based on active directory user account changes when the device is joined to an Active Directory (AD) domain. A local authenticated user can use the AD credentials of a previously authenticated user to gain access to the device and obtain the patient data and medication.


Install updates from vendor's website.

Vulnerable software versions

Pyxis Enterprise Server: 4.4 - 4.12

Pyxis ES: 1.3.4 - 1.6.1


External links

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability