This notification provides product security information and recommendations related to the use of hardcoded credentials in BD Viper™ LT system version(s) 2.0 and later. For maximum awareness, BD has voluntarily reported this vulnerability to the U.S. Food and Drug Administration (FDA) and Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Health Information Sharing and Analysis Center (H-ISAC).
The BD Viper™ LT system provides fully automated, integrated molecular testing on a tabletop analyzer. The system’s hardcoded credentials are not used directly by customers or end-users to access the system. To exploit this vulnerability, a threat actor would need physical or network access to the system and would need to bypass additional security controls.
There have been no reports of this vulnerability being exploited in a clinical setting.
BD is working to remediate the hardcoded credentials vulnerability in BD Viper™ LT system and is providing this information to increase awareness. The fix is expected in BD Viper™ LT system version 4.80 software release.
Additionally, BD recommends the following compensating controls for customers using the BD Viper™ LT system that utilize the hardcoded credentials:
For product- or site-specific concerns, contact your BD service representative.