Certain Hillrom Welch Allyn cardiology products have an authentication vulnerability that could let hackers gain access to privileged accounts, the Cybersecurity and Infrastructure Security Agency recently announced.
Hillrom reported the vulnerability to CISA, according to the Dec. 10 report. The flaw can lead to improper authentication of certain cardio products when configured to use single-sign-on entry.
"This vulnerability allows the application to accept manual entry of any active directory account provisioned in the application without supplying a password, resulting in access to the application as the supplied AD account, with all associated privileges," CISA said.
The vulnerability affects various Hillrom cardiology products when configured to use single sign-on. These products include:
- Welch Allyn Q-Stress Cardiac Stress Testing System: Versions 6.0.0 through 6.3.1
- Welch Allyn X-Scribe Cardiac Stress Testing System: Versions 5.01 through 6.3.1
- Welch Allyn Diagnostic Cardiology Suite: Version 2.1.0
- Welch Allyn Vision Express: Versions 6.1.0 through 6.4.0
- Welch Allyn H-Scribe Holter Analysis System: Versions 5.01 through 6.4.0
- Welch Allyn R-Scribe Resting ECG System: Versions 5.01 through 7.0.0
- Welch Allyn Connex Cardio: Versions 1.0.0 through 1.1.1
Hillrom said it plans to release a software update to fix the vulnerability in its next software release. It also recommends that users upgrade to the latest product versions when they become available and disable the single-sign-on feature to reduce risk.
Baxter finalized its $10.5 billion acquisition of Hillrom on Dec. 13.