The U.S. Cyber Security & Infrastructure Security Agency today issued a medical advisory for the Fresenius Kabi Agilia Connect infusion system.
Fresenius Kabi’s Agilia Connect infusion system has been deemed “exploitable remotely/low attack complexity” by the agency. Successful exploitation of vulnerabilities could allow an attacker to gain access to sensitive information, modify settings or parameters or perform arbitrary actions as an authenticated user.
The vulnerabilities highlighted by CISA include uncontrolled resource consumption, use of a broken or risky cryptographic algorithm, insufficiently protected credentials, improper access control, plaintext storage of a password, files or directories accessible to external parties, exposure of information through directory listing, cross-site scripting, injection, use of hard-coded credentials, use of client-side authentication and use of unmaintained third-party components, according to a CISA news release.
Affected products include the Agilia Connect WiFi module for the vD25 pumps and prior pumps, the Agilia Link+ V3.0 D15 and prior, Vigilant Software Suite v1.0: Vigilant Centerium, Vigilant MasterMed and Vigilant Insight and the Agilia Partner maintenance software v3.3.0 and prior.
Fresenius Kabi initiated communication on the issue in April 2021 to inform users of the availability of new versions of the products that address the vulnerabilities.
The company also identified that early Link+ devices (approximately 1,200) would need hardware change to support D16 (a new version) or later firmware. Until those devices can be replaced, Fresenius Kabi said to follow CISA’s recommendations:
- Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.