CVE-2022-22767 in Pyxis
Summary
by MITRE • 06/02/2022
Specific BD Pyxis™ products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis™ products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/05/2022
The vulnerability identified as CVE-2022-22767 represents a critical security weakness in BD Pyxis™ medical device products that stems from improper credential management practices. This issue specifically affects devices that have been configured with default administrative credentials during installation, creating persistent security risks that extend beyond the initial deployment phase. The vulnerability manifests when these default credentials remain unchanged and active within the system, providing unauthorized access vectors that persist throughout the device lifecycle. Security researchers have identified that many organizations fail to properly configure or change default credentials during the initial setup process, leaving these devices vulnerable to exploitation.
The technical flaw underlying CVE-2022-22767 aligns with CWE-798, which specifically addresses the use of hard-coded credentials in software systems. This vulnerability occurs because BD Pyxis™ products are designed with default login credentials that are either pre-configured or easily discoverable through standard documentation or online resources. When these default credentials are not changed during deployment, they create a persistent backdoor that threat actors can exploit to gain unauthorized access to the underlying operating system. The vulnerability is particularly concerning because it affects both local operating system accounts and domain-joined server environments, meaning that a single compromised credential could potentially provide access to multiple interconnected systems within an organization's infrastructure.
The operational impact of this vulnerability extends far beyond simple unauthorized access, as it creates potential pathways for attackers to compromise sensitive healthcare information. When threat actors successfully exploit these default credentials, they can gain privileged access to the file system where patient health information and other protected health information (PHI) may be stored. This access level allows for potential data exfiltration, system modification, or the installation of malicious software that could further compromise the network. The vulnerability affects the confidentiality, integrity, and availability of healthcare data systems, which directly impacts compliance with healthcare regulations such as HIPAA. Organizations may face significant regulatory penalties and reputational damage if patient data is compromised through this vector.
From a threat modeling perspective, this vulnerability maps to several ATT&CK techniques including T1078 for valid accounts and T1003 for credential access, as attackers can leverage the default credentials to establish persistent access. The attack surface is particularly broad since default credentials are often shared across different product types within the same organization, creating cascading security risks. Mitigation strategies should include immediate credential rotation for all affected devices, implementation of automated credential management systems, and comprehensive inventory tracking to ensure all default credentials are identified and changed. Organizations should also implement network segmentation and monitoring to detect unauthorized access attempts. The vulnerability underscores the importance of proper security configuration management and highlights the need for robust credential lifecycle management practices that align with industry standards such as NIST SP 800-123 for secure configuration management. Regular security assessments and vulnerability scanning should be conducted to identify and remediate similar issues across the entire IT infrastructure.