PatchSiren cyber security CVE debrief
CVE-2024-48974 Baxter CVE debrief
A critical vulnerability in the Baxter Life2000 Ventilation System allows attackers to push compromised firmware due to missing file integrity checks during updates. Published November 14, 2024, this flaw enables unauthorized configuration changes, device functionality compromise, and potential information disclosure. The CVSS 9.3 score reflects local attack vector with no privileges required, high confidentiality/integrity/availability impact, and scope change affecting resources beyond the vulnerable component. Baxter has not yet released a patch but plans a follow-up announcement in Q2 2025. No exploitation has been reported.
- Vendor
- Baxter
- Product
- Life2000 Ventilation System
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-11-14
- Original CVE updated
- 2024-11-14
- Advisory published
- 2024-11-14
- Advisory updated
- 2024-11-14
Who should care
Healthcare delivery organizations using Baxter Life2000 Ventilation Systems; biomedical engineering teams; clinical engineering departments; hospital security operations centers; medical device cybersecurity programs; critical care units dependent on ventilator availability
Technical summary
The Life2000 Ventilation System fails to validate firmware file integrity during update adoption. An attacker with local physical access can install malicious firmware, forcing unauthorized configuration changes or complete device functionality compromise. The vulnerability scores CVSS 9.3 (Critical) with local attack vector, low attack complexity, no privileges required, and high impacts across confidentiality, integrity, and availability with scope change. Affected versions: 06.08.00.00 and earlier. No patch available; vendor mitigation requires physical security controls.
Defensive priority
critical
Recommended defensive actions
- Maintain physical possession and control of Life2000 ventilators; do not leave devices unattended in public or unsecured areas to reduce malicious actor access risk
- Monitor for Baxter's Q2 2025 follow-up announcement regarding vulnerability remediation
- Apply vendor firmware updates immediately upon release when available
- Implement network segmentation for medical devices per CISA ICS recommended practices
- Review and enforce least-privilege access controls for device maintenance personnel
Evidence notes
Source: CISA ICS Medical Advisory ICSMA-24-319-01. Affected product: Baxter Life2000 Ventilation System version 06.08.00.00 and earlier. CVSS 3.1 vector: AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
Official resources
-
CVE-2024-48974 CVE record
CVE.org
-
CVE-2024-48974 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-11-14