CVE-2024-10476 Becton Dickinson & Co CVE debrief

Who should care

Healthcare delivery organizations, clinical laboratories, microbiology departments, biomedical engineering teams, and healthcare CISOs operating BD Diagnostic Solutions instruments in clinical settings.

Technical summary

Default service credentials in BD Diagnostic Solutions products (BACTEC Blood Culture System, COR System, EpiCenter, MAX System, Phoenix M50, Synapsys Informatics Solution on NUC servers) allow threat actors with local network or physical access to access, modify, or delete PHI/PII and potentially shut down systems. Exploitation requires direct logical or physical access to the clinical environment. BD is deploying remediation through its Field Service Organization with proactive user contact; majority scheduling expected in H1 2025.

Defensive priority

HIGH

Recommended defensive actions

• Await BD Field Service contact for credential remediation scheduled primarily in H1 2025
• Restrict physical and logical access to affected diagnostic instruments to authorized personnel only
• Inform authorized users of the issue and enforce strict password control for all relevant accounts
• Monitor and log network traffic to medical device management environments for suspicious activity
• Isolate affected devices in secure VLANs or behind firewalls with restricted access to trusted hosts only
• Disable or block RDP ports on impacted devices as they are not required for operation
• Review and enforce appropriate permissions on file shares and monitor access logs
• Disconnect devices from networks if connectivity is not operationally necessary

Evidence notes

Source: CISA CSAF advisory ICSMA-24-352-01. Six BD Diagnostic Solutions product families affected. BD remediation deployed via Field Service Organization.

Official resources