CVE-2024-48973 Baxter CVE debrief

Who should care

Healthcare delivery organizations, clinical engineering departments, biomedical equipment technicians, respiratory therapy departments, hospital security teams, and medical device security programs responsible for ventilator fleet management and patient safety.

Technical summary

The Baxter Life2000 Ventilation System (versions <=06.08.00.00) ships with an enabled debug port on its serial interface. The debug port processes unencrypted messages, permitting an attacker with physical access to read device data and issue commands that modify settings or impair performance. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) yields a 9.3 Critical score. No patch is available; mitigation relies on physical access controls until Baxter's planned Q2 2025 update.

Defensive priority

critical

Recommended defensive actions

• Restrict physical access to Life2000 Ventilation System devices; do not leave ventilators unattended in public or unsecured areas per vendor guidance.
• Monitor for anomalous serial interface activity or unauthorized device connections.
• Await Baxter's Q2 2025 follow-up announcement for patch availability and apply updates when released.
• Review CISA ICS recommended practices for medical device security and defense-in-depth strategies.
• Coordinate with clinical engineering and biomedical teams to inventory affected devices and enforce physical security controls.

Evidence notes

The vulnerability description and remediation guidance are drawn from CISA ICS Medical Advisory ICSMA-24-319-01, published November 14, 2024. The affected product version is Life2000 Ventilation System <=06.08.00.00. CVSS vector confirms local attack vector with no user interaction required and scope change, resulting in 9.3 Critical score.

Official resources