CVE-2020-16218

Philips Patient Monitoring Devices Cross-site Scripting

Description

In Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, the software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is then used as a webpage and served to other users. Successful exploitation could lead to unauthorized access to patient data via a read-only web application.

Remediation

Solution:

  • Philips released the following versions to remediate reported vulnerabilities: * Patient Information Center iX (PICiX) Version C.03 * Certificate revocation within the system was implemented for PIC iX.

Workaround:

  • As a mitigation to these vulnerabilities, Philips recommends the following: * The Philips patient monitoring network is required to be physically or logically isolated from the hospital local area network (LAN). Philips recommends using a firewall or routers that can implement access control lists restricting access in and out of the patient monitoring network for only necessary ports and IP addresses. Refer to the Philips Patient Monitoring System Security for Clinical Networks guide for additional information on InCenter https://incenter.medical.philips.com/ . * By default, the simple certificate enrollment protocol (SCEP) service is not running. When needed, the service is configured to run based on the duration or the number of certificates to be assigned. One certificate is default, but if a certificate is not issued, the service will continue to run. Limit exposure by ensuring the SCEP service is not running unless it is actively being used to enroll new devices. * When enrolling new devices using SCEP, enter a unique challenge password of 8-12 unpredictable and randomized digits. * Implement physical security controls to prevent unauthorized login attempts on the PIC iX application. Servers should be kept in controlled locked data centers. Access to equipment at nurses’ stations should be controlled and monitored. * Only grant remote access to PIC iX servers on a must-have basis. * Grant login privileges to the bedside monitor and PIC iX application on a role-based, least-privilege basis, and only to trusted users. Users with questions regarding their specific Philips Patient Information Center (PIC iX) and/or IntelliVue patient monitor installations and new release eligibility should contact their local Philips service support team, or regional service support https://www.usa.philips.com/healthcare/solutions/customer-service-solutions , or call 1-800-722-9377. Please see the Philips product security website https://www.philips.com/productsecurity for the Philips advisory and the latest security information for Philips products.

Category

3.5
CVSS
Severity: Low
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.10%
Third-Party Advisory cisa.gov
Affected: Philips Patient Information Center iX (PICiX)
Published at:
Updated at:

References

Link Tags
https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01 third party advisory us government resource
https://www.philips.com/productsecurity

Frequently Asked Questions

What is the severity of CVE-2020-16218?
CVE-2020-16218 has been scored as a low severity vulnerability.
How to fix CVE-2020-16218?
To fix CVE-2020-16218: Philips released the following versions to remediate reported vulnerabilities: * Patient Information Center iX (PICiX) Version C.03 * Certificate revocation within the system was implemented for PIC iX.
Is CVE-2020-16218 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2020-16218 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-16218?
CVE-2020-16218 affects Philips Patient Information Center iX (PICiX).
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.