PatchSiren cyber security CVE debrief
CVE-2024-48971 Baxter CVE debrief
A critical vulnerability in the Baxter Life2000 Ventilation System exposes hard-coded clinician credentials in plaintext, enabling unauthorized privileged access if an attacker obtains physical access to the device. Published November 14, 2024, this vulnerability carries a CVSS 3.1 score of 9.3 (CRITICAL) and affects Life2000 Ventilation System versions 6.08.00.00 and earlier. The root cause is the presence of hard-coded Clinician Password and Serial Number Clinician Password stored in plaintext within the ventilator firmware. An attacker with local access can extract these credentials to gain clinician-level privileges, potentially compromising patient safety and device integrity. Baxter has not released a patch as of the advisory date; remediation relies on physical security controls until a follow-up announcement expected in Q2 2025. No exploitation has been reported.
- Vendor
- Baxter
- Product
- Life2000 Ventilation System
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-11-14
- Original CVE updated
- 2024-11-14
- Advisory published
- 2024-11-14
- Advisory updated
- 2024-11-14
Who should care
Healthcare delivery organizations, biomedical engineering departments, respiratory therapy services, clinical engineering teams, hospital security operations, medical device manufacturers, healthcare CISOs, and regulatory compliance officers responsible for medical device cybersecurity and patient safety.
Technical summary
The Baxter Life2000 Ventilation System contains hard-coded Clinician Password and Serial Number Clinician Password stored in plaintext within device firmware. These credentials are embedded directly in the ventilator and can be extracted by an attacker with local physical access. Successful credential extraction enables unauthorized authentication with clinician privileges, granting complete control over ventilation parameters and device operation. The vulnerability requires local access (AV:L) but needs no privileges or user interaction (PR:N/UI:N). The changed scope (S:C) indicates impact beyond the vulnerable component to patient care systems. Complete compromise of confidentiality, integrity, and availability (C:H/I:H/A:H) reflects the critical safety implications for life-supporting medical equipment.
Defensive priority
CRITICAL
Recommended defensive actions
- Restrict physical access to Life2000 Ventilation Systems; do not leave devices unattended in public or unsecured areas per vendor guidance
- Maintain continuous physical possession and control of ventilators to prevent unauthorized local access
- Monitor for Baxter's Q2 2025 follow-up announcement regarding patch availability
- Review and implement CISA ICS recommended practices for medical device security
- Assess network segmentation for connected ventilators to limit lateral movement if credentials are compromised
- Inventory all deployed Life2000 units and verify firmware versions ≤06.08.00.00 are subject to this advisory
- Train clinical and biomedical engineering staff on physical security protocols for portable ventilators
Evidence notes
CISA ICS Medical Advisory ICSMA-24-319-01 confirms hard-coded plaintext credentials in Life2000 Ventilation System ≤06.08.00.00. CVSS 3.1 vector AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H reflects local attack vector with changed scope and complete confidentiality, integrity, and availability impact. Baxter's remediation guidance emphasizes physical security pending future patch release.
Official resources
-
CVE-2024-48971 CVE record
CVE.org
-
CVE-2024-48971 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-11-14