PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-8375 Bd CVE debrief

CVE-2016-8375 is a physical-access information exposure issue in BD Alaris point-of-care units. The NVD record says affected devices can store unencrypted wireless network authentication credentials and other sensitive technical data in internal flash memory, which may be retrievable if an unauthorized person disassembles the unit and accesses the memory. Because the attack requires physical access, disassembly, and special tools, it is harder to carry out remotely, but the resulting credential exposure could still affect facility wireless security.

Vendor
Bd
Product
CVE-2016-8375
CVSS
MEDIUM 4.9
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-13
Original CVE updated
2026-05-13
Advisory published
2017-02-13
Advisory updated
2026-05-13

Who should care

Healthcare facilities using BD Alaris 8015 or 8000 point-of-care units; biomedical engineering teams; hospital IT, network, and OT/medical-device security teams; anyone responsible for device custody, wireless credential management, or incident response.

Technical summary

NVD lists CVE-2016-8375 with CVSS 3.0 vector AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N (score 4.9, Medium). The issue is that the Alaris 8015 PC Unit (version 9.5 and prior, and version 9.7 per the record) and the 8000 PC Unit store wireless authentication credentials and other sensitive technical data on internal flash memory. An attacker with physical access may be able to remove or disassemble the device and extract that data. NVD also maps the issue to CWE-255.

Defensive priority

Medium. The vulnerability is not remotely exploitable, but exposed wireless credentials on medical devices can create meaningful downstream network risk if a unit is lost, stolen, or tampered with.

Recommended defensive actions

  • Review the NVD entry and the referenced ICS-CERT advisories (ICSMA-17-017-01 and ICSMA-17-017-02) for vendor guidance and compensating controls.
  • Inventory all BD Alaris 8015 and 8000 point-of-care units and identify the exact versions in use.
  • Restrict physical access to affected devices and add tamper-evident and asset-control procedures where appropriate.
  • Assume credentials may be exposed if a device is compromised; rotate or replace any wireless authentication material that could have been stored on the unit.
  • Segment medical-device wireless and network access so a single device’s credential exposure does not grant broad internal access.
  • Coordinate with the device owner and biomedical engineering before any service actions that could affect patient care or operational continuity.

Evidence notes

This debrief is based on the supplied NVD record and its listed references: the official CVE/NVD entries, SecurityFocus BID 96113, and DHS ICS-CERT advisories ICSMA-17-017-01 and ICSMA-17-017-02. The corpus states that special tools and physical access are required, and that carrying out the attack in a healthcare facility would increase the likelihood of detection. No exploit code or weaponized reproduction details are included.

Official resources

Published in the supplied NVD record on 2017-02-13T22:59:00.210Z; the record was later modified on 2026-05-13T00:24:29.033Z. No KEV dates are provided in the supplied data.