United States
North America

Canada (FR)

Canada (EN)

Mexico

United States

South America

Argentina

Brasil

Chile

Colombia
Europe

Belgium (FR)

Belgium (NL)

Česká republika

Denmark

Europe

Suomi

France

Deutschland

Hebrew

Hungary (EN)

Hungary (HU)

Ireland

Italia

Nederland

Norge

Polska

Россия

España

Sverige

Schweiz

Türkiye

United Kingdom
Middle East / Africa

Middle East, North Africa

Africa

Asia / Pacific

Australia / New Zealand

中国

Greater Asia

India

Indonesia

日本

Korea

Malaysia

Philippines

Singapore

Thailand

Vietnam
Login

Third-party Vulnerability

Axeda Software Products

Mar 08, 2022

Bulletins

CRITICAL

Note: Axeda Agent and Axeda Desktop Server are third-party software components no longer used in BD products. BD is proactively reaching out to customers who may still have Axeda in limited instances to assist in removing this application.

BD is aware of and currently monitoring vulnerabilities affecting all versions of Axeda Agent and Axeda Desktop Server for Windows Operating Systems. This third-party vulnerability is not specific to BD or our products. Additionally, we have not received any reports of this vulnerability being exploited on BD products. BD is providing this update to let customers know which BD products could be affected by the following third-party Axeda vulnerabilities:

CVE-2022-25246 – AxedaDesktopServer.exe – The affected product uses hardcoded credentials for its UltraVNC installation. Successful exploitation of this vulnerability could allow a remote authenticated attacker to take full remote control of host operating system via Remote Desktop Connection.

CVE-2022-25247 – ERemoteServer, System Access – The affected product may allow an attacker to send certain commands to a specific port without authentication. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to obtain full file-system access and remote code execution.

CVE-2022-25248 – ERemoteServer, Event Text Log – When connecting to a certain port the affected product supplies the event log of the specific service.

CVE-2022-25249 – xGate and EKernel, Directory Traversal – The affected product (does not apply to Axeda agent 6.9.2 and 6.9.3) is vulnerable to directory traversal, which could allow a remote, unauthenticated attacker to obtain file system read access via web server.

CVE-2022-25250 – xGate and EKernel, Shut Down – The affected product may allow an attacker to send a certain command to a specific port without authentication. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to shut down a specific service.

CVE-2022-25251 – xGate and EKernel, Read and modify agent configuration – The affected product may allow an attacker to send certain XML messages to a specific port without proper authentication. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to read and modify the affected product’s configuration.

CVE-2022-25252 – xBase39 – The affected product when receiving certain input throws an exception. Services using that function do not handle the exception. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to crash the affected product.

BD ended its license agreement with Axeda in August 2019 and most customers have already moved to a non-Axeda based provisioned product. BD is proactively reaching out to customers who may still have Axeda to assist in removing this application.

The product list below identifies BD Integrated Diagnostic Systems (IDS) products that were offered with Axeda.

BD Assurity Linc™ v1.00a (newer versions of BD Assurity Linc™ do not utilize Axeda products)

Note: BD Assurity Linc™ product and version numbers are different between BD IDS and BD Biosciences (BDB) products. BD IDS Assurity Linc™ comes as a hardware appliance.

BD BACTEC™ 9120
BD BACTEC™ 9240
BD BACTEC™ FX
BD EpiCenter™
BD Kiestra™ Total Lab Automation (TLA) system
BD MAX™
BD Totalys™

The BD Biosciences products listed below are in scope only if they are provisioned with BD Assurity Linc™ version 2.0 or earlier (which includes Axeda) and have a Windows 7 Operating System. Newer versions of BD Assurity Linc™ (> version 2.0) or systems with Windows 10 Operating System do not utilize Axeda products.

BD FACSCanto™ 10-color
BD FACSCanto™ 10-color clinical
BD FACSCanto™ II
BD FACSCanto™ II clinical
BD FACSLyric™
BD FACSVerse™

These lists do not indicate the patch or device status. They may be updated if more products are identified. Please check back periodically for updates.

For product or site-specific concerns, contact your BD service representative. If you believe a BD device on your network has been impacted by this third-party vulnerability, disconnect the device from the network and contact your BD service representative immediately.