Vulnerability Details : CVE-2022-22767

Specific BD Pyxis™ products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis™ products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information.

Published 2022-06-02 14:15:36

Updated 2022-06-11 00:53:59

Source Becton, Dickinson and Company (BD)

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2022-22767

Probability of exploitation activity in the next 30 days: 0.05%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 21 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-22767

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
8.3	HIGH	AV:A/AC:L/Au:N/C:C/I:C/A:C	6.5	10.0	[email protected]
Access Vector: Adjacent Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
8.8	HIGH	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	[email protected]
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.8	HIGH	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	[email protected]
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-22767

CWE-262 Not Using Password Aging

The product does not have a mechanism in place for managing password aging.

Assigned by: [email protected] (Secondary)
CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Assigned by: [email protected] (Primary)

References for CVE-2022-22767

https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials

Vendor Advisory

Products affected by CVE-2022-22767

BD » Pyxis Medstation Es Firmware » Version: N/A
cpe:2.3:o:bd:pyxis_medstation_es_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: BD » Pyxis Medstation Es » Version: N/A
BD » Pyxis Anesthesia Station Es Firmware » Version: N/A
cpe:2.3:o:bd:pyxis_anesthesia_station_es_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: BD » Pyxis Anesthesia Station Es » Version: N/A
BD » Pyxis Ciisafe Firmware » Version: N/A
cpe:2.3:o:bd:pyxis_ciisafe_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: BD » Pyxis Ciisafe » Version: N/A
BD » Pyxis Logistics Firmware » Version: N/A
cpe:2.3:o:bd:pyxis_logistics_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: BD » Pyxis Logistics » Version: N/A
BD » Pyxis Medbank Firmware » Version: N/A
cpe:2.3:o:bd:pyxis_medbank_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: BD » Pyxis Medbank » Version: N/A
BD » Pyxis Medstation 4000 Firmware » Version: N/A
cpe:2.3:o:bd:pyxis_medstation_4000_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: BD » Pyxis Medstation 4000 » Version: N/A
BD » Pyxis Medstation Es Server Firmware » Version: N/A
cpe:2.3:o:bd:pyxis_medstation_es_server_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: BD » Pyxis Medstation Es Server » Version: N/A
BD » Pyxis Parassist Firmware » Version: N/A
cpe:2.3:o:bd:pyxis_parassist_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: BD » Pyxis Parassist » Version: N/A
BD » Pyxis Rapid Rx Firmware » Version: N/A
cpe:2.3:o:bd:pyxis_rapid_rx_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: BD » Pyxis Rapid Rx » Version: N/A
BD » Pyxis Stockstation Firmware » Version: N/A
cpe:2.3:o:bd:pyxis_stockstation_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: BD » Pyxis Stockstation » Version: N/A
BD » Pyxis Supplycenter Firmware » Version: N/A
cpe:2.3:o:bd:pyxis_supplycenter_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: BD » Pyxis Supplycenter » Version: N/A
BD » Pyxis Supplyroller Firmware » Version: N/A
cpe:2.3:o:bd:pyxis_supplyroller_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: BD » Pyxis Supplyroller » Version: N/A
BD » Pyxis Supplystation Firmware » Version: N/A
cpe:2.3:o:bd:pyxis_supplystation_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: BD » Pyxis Supplystation » Version: N/A
BD » Rowa Pouch Packaging Systems Firmware » Version: N/A
cpe:2.3:o:bd:rowa_pouch_packaging_systems_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: BD » Rowa Pouch Packaging Systems » Version: N/A
BD » Pyxis Supplystation Ec Firmware » Version: N/A
cpe:2.3:o:bd:pyxis_supplystation_ec_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: BD » Pyxis Supplystation Ec » Version: N/A
BD » Pyxis Supplystation Rf Auxiliary Firmware » Version: N/A
cpe:2.3:o:bd:pyxis_supplystation_rf_auxiliary_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: BD » Pyxis Supplystation Rf Auxiliary » Version: N/A