PatchSiren cyber security CVE debrief
CVE-2016-9355 Bd CVE debrief
CVE-2016-9355 describes a physical-access vulnerability in the BD Alaris 8015 Point of Care unit where an unauthorized person who can disassemble the device and access its flash memory may retrieve unencrypted wireless network authentication credentials and other sensitive technical data. The issue is tied to how the device stores secrets on removable flash memory, which can reduce the chance of immediate detection while extraction occurs at the attacker's convenience.
- Vendor
- Bd
- Product
- CVE-2016-9355
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-13
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-13
- Advisory updated
- 2026-05-13
Who should care
Healthcare organizations, clinical engineering teams, biomedical device owners, OT/ICS security teams, and IT administrators responsible for BD Alaris 8015 Point of Care units should care, especially where devices are physically accessible or handled outside tightly controlled areas.
Technical summary
NVD lists the weakness as CWE-255 and assigns CVSS v3.0 AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, reflecting a physically local issue with high confidentiality impact. The vulnerable scope in NVD includes BD Alaris 8015 PC unit versions 9.5 and earlier, plus version 9.7. The core problem is storage of wireless authentication credentials and other sensitive technical data on removable flash memory that can be extracted after device disassembly.
Defensive priority
Medium. The vulnerability is serious because it can expose wireless credentials and technical data, but exploitation requires physical access to the device, which limits broad remote risk.
Recommended defensive actions
- Inventory BD Alaris 8015 Point of Care units and confirm affected versions against the NVD-listed scope.
- Restrict physical access to devices and any removable storage components through locked rooms, controlled custody, and tamper-aware checks.
- Coordinate with the vendor and medical device support channels to determine whether a firmware or design update is available for secret storage.
- Rotate or reissue any wireless network credentials that may have been stored on affected devices if exposure is suspected.
- Review whether affected devices are permitted to retain sensitive secrets locally and, if possible, move credential handling to safer storage practices.
- Add device handling and decommissioning procedures that include secure removal and sanitization of flash media where supported by vendor guidance.
Evidence notes
The description and NVD CVSS vector both indicate a physical-access requirement. The published CVE date used here is 2017-02-13 from the supplied timeline. NVD’s modified timestamp is 2026-05-13, but that is not the vulnerability issue date. The supplied corpus also identifies the affected versions as 9.5 and prior versions, and version 9.7.
Official resources
-
CVE-2016-9355 CVE record
CVE.org
-
CVE-2016-9355 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Mitigation, Third Party Advisory, US Government Resource
Publicly disclosed on 2017-02-13. The supplied source was last modified on 2026-05-13, but that does not change the original CVE publication date.