BD Product Security Bulletin for Third-Party CryptoAPI Vulnerability


Microsoft recently announced a spoofing vulnerability that exists in the way Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) digital authentication certificates. This third-party vulnerability that Microsoft corrected with its latest patch release is not specific to BD or our products. However, BD would like to ensure its customers that utilize Windows 10, Windows Server 2016 and Windows Server 2019 are aware of the recent patch update through Microsoft. If exploited, an attacker could cause a man-in-the middle attack and decrypt confidential information on the affected system.

In order to exploit this vulnerability, an attacker would have to use a spoofed digital authentication certificate and deliver executable code, which would appear to the user as a trusted provider. This vulnerability can be exploited remotely.

We have had no reports of this vulnerability being exploited on BD’s products.


Microsoft released a patch that addresses this vulnerability by ensuring that Windows CryptoAPI completely validates Elliptic Curve Cryptography digital authentication certificates. BD is currently testing and validating the Microsoft patch for BD products that use the affected third-party Windows versions. Please see the Product Security Patching website for all approved product security patching notifications. Additionally, BD recommends the following systems that use Windows 10, Windows Server 2016, and Windows Server 2019:

  • Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures
  • Execute updates to malware protection, where available

BD Products that Utilize Affected Windows Versions:

BD has received no reports of this third-party Microsoft vulnerability. The product list below is available for customers to help identify existing BD products that utilize Windows 10, Windows Server 2016, and Windows Server 2019. The list provided below is not comprehensive and may be updated as more products are identified. It does not indicate the patch or device status.

  • BD Alaris™ Systems Manager
  • BD Accuri™ C6 Plus
  • BD Assurity Linc™
  • BD BACTEC™ FX40*
  • BD COR™ system
  • BD DataLink™
  • BD EpiCenter™*
  • BD FACSAria™
  • BD FACSCanto™
  • BD FACSCelesta™
  • BD FACSDuet™
  • BD FACSLyric™
  • BD FACSMelody™
  • BD FACSSample Prep Assistant™(SPA)
  • BD HealthSight Analytics™
  • BD Kiestra™ IdentifA*
  • BD LSR II™
  • BD LSRFortessa™
  • BD MAX™*
  • BD MedMined™
  • BD Phoenix™ M50*
  • BD Rhapsody™ Single-Cell Analysis System
  • BD Specimen Collection Verification™ (SCV)


*Only applicable if product is connected to Assurity Linc for remote service via RSS (Remote Service Solution)

Customers that maintain patches independent of BD automated delivery should ensure these actions are performed as the acting responsible entity in order to maintain the correct security posture of the system(s).


For product or site-specific concerns, contact your BD service representative. If you observe symptoms of this attack, disconnect your system from the network and contact your BD service representative.

Chat with us
Our live chat is available between the hours of 8.30am - 5.00pm EST, Monday - Friday