CVE-2024-9834 Baxter CVE debrief

Who should care

Healthcare facilities using Baxter Life2000 Ventilation Systems, biomedical engineering teams, clinical engineering departments, and healthcare CISOs responsible for medical device security.

Technical summary

The Baxter Life2000 Ventilation System fails to properly protect data on its serial interface, allowing an attacker with physical access to send and receive messages without authorization. This can lead to unauthorized information disclosure and manipulation of device settings affecting performance. The attack requires local access (AV:L) but no privileges (PR:N) and can impact system-wide availability, confidentiality, and integrity.

Defensive priority

critical

Recommended defensive actions

• Restrict physical access to Life2000 ventilators; do not leave devices unattended in public or unsecured areas per vendor guidance.
• Monitor for Q2 2025 vendor follow-up announcement regarding patch availability.
• Apply network segmentation and access controls to limit exposure of device serial interfaces.
• Review CISA ICS recommended practices for medical device security.

Evidence notes

CISA published ICSMA-24-319-01 on 2024-11-14 identifying improper data protection on the ventilator's serial interface as the root cause. CVSS 3.1 vector AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H confirms local attack vector with no privileges required but high impact across confidentiality, integrity, and availability.

Official resources