CVE-2024-48971

9.3

Critical

Published:14 Nov 2024

Last updated:17 Jun 2026

Source:productsecurity@baxter.com

Deferred

Weakness (CWE)

CWE-798Use of Hard-coded Credentials

CVSS Vector

v3.1

Attack Vector: Local
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Changed
Confidentiality: High
Integrity: High
Availability: High

View on MITRE Find PoC on GitHub

Description

The Clinician Password and Serial Number Clinician Password are hard-coded into the ventilator in plaintext form. This could allow an attacker to obtain the password off the ventilator and use it to gain unauthorized access to the device, with clinician privileges.

References

productsecurity@baxter.com

https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-319-01