CVE-2024-48966 Baxter CVE debrief

Who should care

Healthcare delivery organizations using Baxter Life2000 Ventilation Systems; biomedical engineering teams; clinical engineering departments; ICS/OT security teams in healthcare environments; regulatory compliance officers managing FDA cybersecurity guidance adherence

Technical summary

The Life2000 Ventilation System's service tools (test and calibration) implement no user authentication mechanism. An attacker with physical or logical access to the Service PC can: (1) extract diagnostic information via the test tool, and (2) modify ventilator settings and embedded software via the calibration tool. Both operations require no credentials. The attack vector is local to the service infrastructure but carries network-accessible CVSS scoring due to potential lateral movement scenarios. Impact spans confidentiality (diagnostic data exposure), integrity (setting manipulation), and availability (device performance degradation).

Defensive priority

critical

Recommended defensive actions

• Restrict physical access to Service PCs running Life2000 test and calibration tools to authorized personnel only
• Maintain physical possession of ventilators; do not leave devices unattended in public or unsecured areas
• Monitor for unauthorized access to service tool installations and associated diagnostic outputs
• Await Baxter's Q2 2025 follow-up announcement for patch availability
• Apply network segmentation to isolate Service PCs from untrusted networks
• Review and strengthen access controls for any systems interfacing with Life2000 ventilators

Evidence notes

CISA published ICSMA-24-319-01 on 2024-11-14 with CVSS 10.0. Baxter confirmed affected versions ≤06.08.00.00. No known exploitation reported. Vendor fix planned for Q2 2025.

Official resources