This notification provides product security information and recommendations related to the use of hardcoded credentials in specific BD Pyxis™ products. BD has voluntarily reported this vulnerability to the U.S. Food and Drug Administration (FDA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Health Information Sharing and Analysis Center (H-ISAC).
The product list below identifies existing BD Pyxis™ products that use hardcoded credentials. The list may be updated as more products are identified. Please check back periodically for updates.
The BD Pyxis™ device’s hardcoded credentials are not used directly by customers or end-users to access the system. The use of hardcoded credentials in BD Pyxis™ devices is documented in BD Product Security White Papers, which customers can request from the BD Cybersecurity Trust Center. BD Product Security White Papers detail how security and privacy practices have been applied and provide information to help customers safeguard product security throughout each product's life cycle.
To exploit this vulnerability, threat actors would have to gain access to the hardcoded credentials, infiltrate facility’s network and gain access to individual devices.
There have been no reports of this vulnerability being exploited in a clinical setting.
BD is in the process of strengthening our credential management capabilities in BD Pyxis™ devices and is providing this information to increase awareness.
Additionally, BD recommends the following compensating controls for customers using BD Pyxis™ products that utilize the hardcoded credentials:
For product- or site-specific concerns, contact your BD service representative.