Philips Patient Monitoring Devices Improper Authentication
CVE-2020-16222

8.8HIGH

Key Information:

Vendor: Philips
Status: Patient Information Center Ix (picix); Performancebridge Focal Point
Vendor: CVE Published:; 11 September 2020

Summary

In Patient Information Center iX (PICiX) Version B.02, C.02, C.03, and PerformanceBridge Focal Point Version A.01, when an actor claims to have a given identity, the software does not prove or insufficiently proves the claim is correct.

Affected Version(s)

Patient Information Center iX (PICiX) B.02

Patient Information Center iX (PICiX) C.02

Patient Information Center iX (PICiX) C.03

References

https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01

x_refsource_MISC

https://www.philips.com/productsecurity

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 11, 2020
Vulnerability Reserved
Jul 31, 2020

Credit

Julian Suleder, Nils Emmerich, Birk Kauer of ERNW Research GmbH, Dr. Oliver Matula of ERNW Enno, and Rey Netzwerke GmbH reported these vulnerabilities to the Federal Office for Information Security (BSI), Germany, in the context of the BSI project ManiMed (Manipulation of medical devices), which reported these to Philips.