CVE-2020-12048

Published: Jun 29, 2020Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool.

Affected (2)

Products: Baxter: Phoenix X36 Firmware

1 product

Phoenix X36 Firmware

Configuration A

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Baxter Phoenix X36 Firmware	Version 3.36
Baxter Phoenix X36 Firmware	Version 3.40

Running on/with	Platform Versions
Baxter Phoenix X36	All versions

Related CWEs

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

References (2)

https://www.us-cert.gov/ics/advisories/icsma-20-170-03

Source: ics-cert@hq.dhs.gov

Third Party AdvisoryUS Government Resource

https://www.us-cert.gov/ics/advisories/icsma-20-170-03

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

Timeline

No history available yet.