CVE-2020-12047 – Baxter Spectrum WBM medical devices have a fact... (How to Fix)

Q: What is the severity of CVE-2020-12047?

CVE-2020-12047 has a CVSS score of 9.8 (CRITICAL). Baxter Spectrum WBM medical devices have a factory-default FTP service with hard-coded credentials, allowing attackers to access sensitive medical device configurations and potentially modify device settings. This affects Baxter Spectrum WBM versions v17, v20D29, v20D30, v20D31, and v22D24 when used with Baxter Spectrum v8.x (model 35700BAX2) in wireless configurations.

📋 TL;DR

Baxter Spectrum WBM medical devices have a factory-default FTP service with hard-coded credentials, allowing attackers to access sensitive medical device configurations and potentially modify device settings. This affects Baxter Spectrum WBM versions v17, v20D29, v20D30, v20D31, and v22D24 when used with Baxter Spectrum v8.x (model 35700BAX2) in wireless configurations.

💻 Affected Systems

Products:

Baxter Spectrum WBM
Baxter Spectrum v8.x (model 35700BAX2)

Versions: WBM: v17, v20D29, v20D30, v20D31, v22D24; Spectrum: v8.x

Operating Systems: Embedded medical device OS

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when used in factory-default wireless configuration. Wired configurations may not be affected.

📦 What is this software?

Sigma Spectrum Infusion System Firmware by Baxter

View all CVEs affecting Sigma Spectrum Infusion System Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full control of medical infusion pumps, potentially altering medication dosages or disabling safety features, leading to patient harm or death.

🟠

Likely Case

Unauthorized access to device configurations, potential data exfiltration, and ability to disrupt medical device operations.

🟢

If Mitigated

Limited access to non-critical configuration files if proper network segmentation and access controls are implemented.

🌐 Internet-Facing: HIGH - Devices with wireless connectivity exposed to networks could be remotely exploited.

🏢 Internal Only: HIGH - Even internally, hard-coded credentials allow lateral movement within healthcare networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Hard-coded credentials make exploitation trivial for anyone who discovers them. No authentication required for FTP access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Contact Baxter for specific patched versions

Vendor Advisory: https://www.us-cert.gov/ics/advisories/icsma-20-170-04

Restart Required: Yes

Instructions:

1. Contact Baxter Medical for security updates
2. Apply firmware updates provided by Baxter
3. Restart affected devices after patching
4. Verify FTP service is disabled or secured

🔧 Temporary Workarounds

Disable FTP Service

all

Turn off the vulnerable FTP service if not required for operations

Device-specific configuration commands from Baxter documentation

Network Segmentation

all

Isolate medical devices on separate VLANs with strict firewall rules

🧯 If You Can't Patch

Disable wireless functionality and use wired connections only
Implement strict network access controls to block FTP traffic (port 21) to/from medical devices

🔍 How to Verify

Check if Vulnerable:

Check device configuration for enabled FTP service with default credentials. Attempt FTP connection to port 21 using known hard-coded credentials.

Check Version:

Device-specific diagnostic commands from Baxter documentation

Verify Fix Applied:

Verify FTP service is disabled or requires proper authentication. Confirm device firmware version is updated to patched release.

📡 Detection & Monitoring

Log Indicators:

Failed or successful FTP authentication attempts
FTP service start/stop events
Configuration file access/modification

Network Indicators:

FTP traffic (port 21) to/from medical device IPs
Unusual file transfers from medical devices

SIEM Query:

source_ip IN (medical_device_ips) AND dest_port=21 AND protocol=FTP

📊 Metadata

CVE ID: CVE-2020-12047

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-259

Published: June 29, 2020

Last Updated: November 21, 2024

🔗 References

https://www.us-cert.gov/ics/advisories/icsma-20-170-04 Third Party Advisory,US Government Resource
https://www.us-cert.gov/ics/advisories/icsma-20-170-04 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-12047, you might also want to check these: