FTP Service Vulnerability in Baxter Spectrum WBM Products
CVE-2020-12047

9.8CRITICAL

Key Information:

Vendor: Baxter
Status: Baxter Sigma Spectrum Infusion Pumps
Vendor: CVE Published:; 29 June 2020

What is CVE-2020-12047?

The Baxter Spectrum WBM models v17, v20D29, v20D30, v20D31, and v22D24, when configured in a factory-default wireless set-up, inadvertently activate an FTP service that is vulnerable due to hard-coded credentials. This vulnerability exposes devices to unauthorized access, potentially compromising sensitive data and operational integrity. Awareness and remediation are essential to ensure the security of these medical systems.

Affected Version(s)

Baxter Sigma Spectrum Infusion Pumps Sigma Spectrum v6.x model 35700BAX,Spectrum v8.x model 35700BAX2,Sigma Spectrum v6.x with Wireless Battery Module (WBM) v9,v11,v13,v14,v15,v16,v20D29,v20D30,v20D31,v22D24, Spectrum v8.x w/WBM v17,v20D29,v20D30,v20D31,v22D24,Spectrum WBM v17,v20D29,v20D30,v20D31,v22D24,Spectrum LVP v8.x with WBM v17, v20D29,v20D30,v20D31,and v22D24

References

https://www.us-cert.gov/ics/advisories/icsma-20-170-04

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 29, 2020
Vulnerability Reserved
Apr 21, 2020