Insufficient Audit Logging Capabilities Expose Medical Devices to Cyber Threats
CVE-2024-48967

10CRITICAL

Key Information:

Vendor: Baxter
Status: Life2000 Ventilation System
Vendor: CVE Published:; 14 November 2024

What is CVE-2024-48967?

The ventilator and Service PC developed by VENDOR exhibit inadequate audit logging functionalities, hindering the detection and forensic analysis of potentially malicious activities. An individual with access to either the ventilator or the Service PC could manipulate ventilator settings undetected, leading to unauthorized information disclosure and compromising the operational integrity of the device. This may pose significant risks to patients relying on ventilatory support and calls for immediate attention to enhance logging mechanisms and secure device configurations.

Affected Version(s)

Life2000 Ventilation System 06.08.00.00 and prior

References

https://www.cisa.gov/news-events/ics-medical-advisories/i...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 14, 2024

Baxter

What is CVE-2024-48967?

Affected Version(s)

References

CVSS V3.1

Timeline