CVE-2024-48967

Nov. 15, 2024, 1:58 p.m.

10.0
Critical

Description

The ventilator and the Service PC lack sufficient audit logging capabilities to allow for detection of malicious activity and subsequent forensic examination. An attacker with access to the ventilator and/or the Service PC could, without detection, make unauthorized changes to ventilator settings that result in unauthorized disclosure of information and/or have unintended impacts on device performance.

Product(s) Impacted

Product Versions
Unknown
  • []

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-778
Insufficient Logging
When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

References

https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-319-01

Tags

productsecurity@baxter.com
2024-11-14
CVE-2024-48967
CWE-778

CVSS Score

10.0 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

    View Vector String

Timeline

Published: Nov. 14, 2024, 10:15 p.m.
Last Modified: Nov. 15, 2024, 1:58 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

productsecurity@baxter.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.