CVE-2022-22767

HIGH

BD Pyxis Anesthesia Station ES Firmware - Insufficiently Protected Credentials

Title source: rule

Description

Specific BD Pyxis™ products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis™ products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information.

References (1)

[Vendor Advisory] https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials

Scores

CVSS v3 8.8

EPSS 0.0023

EPSS Percentile 45.3%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-522 CWE-262

Status published

Affected Products (16)

bd/pyxis_anesthesia_station_es_firmware

bd/pyxis_ciisafe_firmware

bd/pyxis_logistics_firmware

bd/pyxis_medbank_firmware

bd/pyxis_medstation_4000_firmware

bd/pyxis_medstation_es_firmware

bd/pyxis_medstation_es_server_firmware

bd/pyxis_parassist_firmware

bd/pyxis_rapid_rx_firmware

bd/pyxis_stockstation_firmware

bd/pyxis_supplycenter_firmware

bd/pyxis_supplyroller_firmware

bd/pyxis_supplystation_firmware

bd/pyxis_supplystation_ec_firmware

bd/pyxis_supplystation_rf_auxiliary_firmware

... and 1 more

Timeline

Published Jun 02, 2022

Tracked Since Feb 18, 2026