A hard-coded credential vulnerability in medical laboratory equipment used for cervical cancer screenings could allow an attacker to modify sensitive patient information.
Advisories issued Tuesday by manufacturer BD and the Cybersecurity and Infrastructure Security Agency as part of a coordinated vulnerability disclosure say the flaw affects the BD Totalys MultiProcessor versions 1.70 and earlier.
BD reported the finding to CISA. There have been no reports of the vulnerability being exploited, including in clinical settings, the device maker says. The company declined to disclose the estimated number of installed Totalys MultiProcessor systems in use globally in an emailed response to Information Security Media Group’s inquiry.
The affected product uses hard-coded credentials that could allow an attacker to access, modify or delete sensitive information, including electronic protected health information and personally identifiable information. The Totalys MultiProcessor system “combines full automation of the cell enrichment process for cervical samples, continuous chain of custody and customizable aliquots for ancillary testing,” according to BD.
