CVE-2022-22767

BD Pyxis™ Products – Default Credentials

Description

Specific BD Pyxis™ products were installed with default credentials and may presently still operate with these credentials. There may be scenarios where BD Pyxis™ products are installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types. If exploited, threat actors may be able to gain privileged access to the underlying file system and could potentially exploit or gain access to ePHI or other sensitive information.

Remediation

Solution:

  • BD is currently strengthening our credential management capabilities in BD Pyxis™ products. Service personnel are proactively working with customers whose domain-joined server(s) credentials require updates. BD is currently piloting a credential management solution that is initially targeted for only specific BD Pyxis™ product versions and will allow for improved authentication management practices with specific local operating system credentials. Changes needed for installation, upgrade or to applications are being evaluated as part of the overall remediation.

Workaround:

  • Limit physical access to only authorized personnel.
  • Tightly control management of system passwords provided to authorized users.
  • Isolate affected products in a secure VLAN or behind firewalls with restricted access that only permits communication with trusted hosts in other networks when needed.
  • Work with your local BD support team to ensure that patching and virus definitions are up to date. The BD Remote Support Services Solution for automated patching and virus definition management is an available solution for customer accounts.

Categories

8.8
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.15%
Vendor Advisory bd.com
Affected: Becton Dickinson (BD) BD Pyxis™ Anesthesia ES Station
Affected: Becton Dickinson (BD) BD Pyxis™ CIISafe
Affected: Becton Dickinson (BD) BD Pyxis™ Logistics
Affected: Becton Dickinson (BD) BD Pyxis™ MedBank
Affected: Becton Dickinson (BD) BD Pyxis™ MedStation™ 4000
Affected: Becton Dickinson (BD) BD Pyxis™ MedStation™ ES
Affected: Becton Dickinson (BD) BD Pyxis™ MedStation™ ES Server
Affected: Becton Dickinson (BD) BD Pyxis™ ParAssist
Affected: Becton Dickinson (BD) BD Pyxis™ Rapid Rx
Affected: Becton Dickinson (BD) BD Pyxis™ StockStation
Affected: Becton Dickinson (BD) BD Pyxis™ SupplyCenter
Affected: Becton Dickinson (BD) BD Pyxis™ SupplyRoller
Affected: Becton Dickinson (BD) BD Pyxis™ SupplyStation™
Affected: Becton Dickinson (BD) BD Pyxis™ SupplyStation™ EC
Affected: Becton Dickinson (BD) BD Pyxis™ SupplyStation™ RF auxiliary
Affected: Becton Dickinson (BD) BD Rowa™ Pouch Packaging Systems
Published at:
Updated at:

References

Link Tags
https://cybersecurity.bd.com/bulletins-and-patches/bd-pyxis-products-default-credentials vendor advisory

Frequently Asked Questions

What is the severity of CVE-2022-22767?
CVE-2022-22767 has been scored as a high severity vulnerability.
How to fix CVE-2022-22767?
To fix CVE-2022-22767: BD is currently strengthening our credential management capabilities in BD Pyxis™ products. Service personnel are proactively working with customers whose domain-joined server(s) credentials require updates. BD is currently piloting a credential management solution that is initially targeted for only specific BD Pyxis™ product versions and will allow for improved authentication management practices with specific local operating system credentials. Changes needed for installation, upgrade or to applications are being evaluated as part of the overall remediation.
Is CVE-2022-22767 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-22767 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-22767?
CVE-2022-22767 affects Becton Dickinson (BD) BD Pyxis™ Anesthesia ES Station, Becton Dickinson (BD) BD Pyxis™ CIISafe, Becton Dickinson (BD) BD Pyxis™ Logistics, Becton Dickinson (BD) BD Pyxis™ MedBank, Becton Dickinson (BD) BD Pyxis™ MedStation™ 4000, Becton Dickinson (BD) BD Pyxis™ MedStation™ ES, Becton Dickinson (BD) BD Pyxis™ MedStation™ ES Server, Becton Dickinson (BD) BD Pyxis™ ParAssist, Becton Dickinson (BD) BD Pyxis™ Rapid Rx, Becton Dickinson (BD) BD Pyxis™ StockStation, Becton Dickinson (BD) BD Pyxis™ SupplyCenter, Becton Dickinson (BD) BD Pyxis™ SupplyRoller, Becton Dickinson (BD) BD Pyxis™ SupplyStation™, Becton Dickinson (BD) BD Pyxis™ SupplyStation™ EC, Becton Dickinson (BD) BD Pyxis™ SupplyStation™ RF auxiliary, Becton Dickinson (BD) BD Rowa™ Pouch Packaging Systems.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.