Security news that informs and inspires

Critical RCE Flaws Impact Medical Devices


Researchers have disclosed a set of seven vulnerabilities in PTC’s Axeda platform, which is preinstalled on connected devices, particularly in the healthcare industry, as a way for device manufacturers to remotely access and manage them.

Three of the vulnerabilities discovered by researchers with Forescout are rated critical severity and could enable attackers to run malicious code on affected devices or access sensitive data. Of note, an attacker would need local access to the network to leverage the flaws. However, researchers outlined several scenarios that would set the stage for an attack, such as hospitals being open to the public, having public guest Wi-Fi and lacking proper network segmentation.

“The impact would be remote code execution and taking full control of the devices, as well as information disclosure,” said Daniel dos Santos, head of security research with Forescout. “This could allow attackers to access sensitive information remotely on the devices. It could be passwords, databases holding sensitive information, or health information.”

One of the vulnerabilities (CVE-2022-25247) exists in the ERemoteServer.exe services and enables full file-system access as well as remote code execution. Another critical flaw (CVE-2022-25246) in the AxedaDesktopServer.exe service can allow attackers to utilize hard-coded credentials to enable full remote control of the device. The final flaw (CVE-2022-25251) in the Axeda xGate.exe agent stems from the agent supporting a set of unauthenticated commands to retrieve information about a device and modify the agent’s configuration.

Researchers said that at least 150 devices, from over 100 different vendors, are potentially vulnerable to the flaws - including medical imaging and laboratory devices. While Axeda is used mostly in lab, imaging and other types of medical devices, other industries like manufacturing and financial services use vulnerable platforms as well. Researchers said that various connected devices, including ATMs, vending machines, label printers, SCADA systems and asset monitoring or tracking devices are affected.

“This could allow attackers to access sensitive information remotely on the devices. It could be passwords, databases holding sensitive information, or health information.”

Redsearchers first reported the flaws to PTC in August. All versions of Axeda Agent below 6.9.3 are impacted, and PTC has released patches for all the flaws and started notifying downstream vendors in January. However, because the Axeda platform is built into products by original equipment manufacturers (OEMs), dos Santos warned that patching could take awhile to roll out given the number of vendors and devices across many different industries that are affected. At the same time, the end users of these devices - those working in hospitals, for instance - need to identify affected devices in their environments, which is a complicated feat for healthcare companies dealing with a diverse range of devices. These patching challenges are common for the complex Internet of Things (IoT) landscape, as previously seen with flaws like the Name:Wreck set of vulnerabilities in the popular TCP/IP stacks utilized by connected devices.

The Cybersecurity & Infrastructure Security Agency (CISA) and the U.S. Food and Drug Administration (FDA) also released statements urging users of potentially affected devices to contact the device manufacturer and inquire about any potential impacts and mitigations.

Medical devices are increasingly connected to the Internet, hospital networks, and other medical devices to provide features that improve health care and increase the ability of health care providers to treat patients," according to the FDA. "These same features also increase potential cybersecurity risks. Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.

Vendors that are potentially impacted need to identify devices running vulnerable versions of the Axeda component before applying the updates. For end-user operators, dos Santos recommended relying on security strategies such as enforcing segmentation controls, monitoring progressive patches released by impacted device manufacturers and monitoring all network traffic for malicious packets.

“We have been in communication with PTC, but beyond that we have needed to identify the manufacturers,” said dos Santos. “I expect the timeline will take a couple years for certain devices.”