Vulnerability Details : CVE-2022-26390
The Baxter Spectrum Wireless Battery Module (WBM) stores network credentials and PHI (only applicable to Spectrum IQ pumps using auto programming) in unencrypted form. An attacker with physical access to a device that hasn't had all data and settings erased may be able to extract sensitive information.
Products affected by CVE-2022-26390
- Baxter » Spectrum Wireless Battery Module FirmwareVersions from including (>=) 20d29 and up to, including, (<=) 20d32cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:*:*:*:*:*:*:*:*
- Baxter » Spectrum Wireless Battery Module FirmwareVersions from including (>=) 22d19 and up to, including, (<=) 22d28cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:16:*:*:*:*:*:*:*
- cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:16d38:*:*:*:*:*:*:*
- cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:17:*:*:*:*:*:*:*
- cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:17d19:*:*:*:*:*:*:*
- cpe:2.3:o:baxter:sigma_spectrum_35700bax_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:baxter:sigma_spectrum_35700bax2_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:baxter:baxter_spectrum_iq_35700bax3_firmware:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-26390
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 21 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-26390
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.2
|
MEDIUM | CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
0.5
|
3.6
|
NIST | |
4.2
|
MEDIUM | CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
0.5
|
3.6
|
Baxter |
CWE ids for CVE-2022-26390
-
The product does not encrypt sensitive or critical information before storage or transmission.Assigned by:
- nvd@nist.gov (Primary)
- productsecurity@baxter.com (Secondary)
-
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-26390
-
https://www.cisa.gov/uscert/ics/advisories/icsma-22-251-01
Baxter Sigma Spectrum Infusion Pump | CISAThird Party Advisory;US Government Resource
-
https://www.us-cert.gov/ics/advisories/icsma-22-xxx-xx
404 - File Not Found | CISAThird Party Advisory;US Government Resource
Jump to