BD Pyxis is a familiar name in healthcare, providing medication dispensing cabinets in thousands of hospitals and clinics around the world. But in January 2022, researchers and security teams discovered a serious vulnerability: CVE-2022-22766. This flaw made headlines because it could allow cybercriminals to *easily* unlock sensitive medical data, putting patient privacy and hospital operations at risk.
Today, let’s break down how hardcoded credentials in specific BD Pyxis medical devices posed such a significant threat, how a hacker could exploit this CVE, and what all stakeholders need to know.
What is CVE-2022-22766?
CVE-2022-22766 is a vulnerability found in some BD Pyxis products where a set of usernames and passwords (credentials) were “hardcoded” into the device’s codebase. Hardcoded credentials are like hidden default keys inside the product. If someone discovers these credentials, it’s like finding a spare set of keys taped under the doormat—they can get in with ease.
BD Pyxis CII Safe
For the complete list, visit the official BD Security Bulletin:
https://www.bd.com/en-us/support/product-security-and-privacy/product-security-bulletins/bd-pyxis-product-security-bulletin-cve-2022-22765-cve-2022-22766
How the Vulnerability Works
These devices used credentials (like usernames and passwords) embedded deep in their code. Even if a hospital changed its own admin passwords, the hardcoded ones could not be removed or changed without a patch directly from BD.
This means that if anyone found or leaked these credentials (via reverse engineering the software or from internal leaks), they could use them to log into the system and:
Code Example: Spotting Hardcoded Credentials
Let’s say a vulnerable section of code looked like this (the real code is proprietary, but here’s a simplified example):
public class LoginManager
{
public bool Login(string user, string pass)
{
// Hardcoded credentials
string superUser = "service_admin";
string superPass = "SuperSecret!123";
if(user == superUser && pass == superPass)
{
// Grant access to system files
return true;
}
return false;
}
}
In production hospital devices, this is a huge problem. If an attacker can reach the login interface (locally or over a network), these credentials are a master key.
How Could Attackers Exploit CVE-2022-22766?
Let’s walk through a possible, realistic attack scenario.
Gain device or network access:
The attacker must have local access to the Pyxis device, or remote access if the network is vulnerable or exposed.
Gain privileged access:
Entering the correct username and password logs them into the back-end operating system or privileged application functions.
Browse or copy files:
The attacker navigates filesystem directories (C:\) where config, log, and application credential files are stored.
Some config files store database connection strings or encrypted credentials for third-party apps
; C:\Program Files\Pyxis\config.ini
[Database]
UserID=pyxis_db_user
Password=EncryptedPasswordHere==
;
; If attackers can decrypt this field, they have full access!
;
Hackers might use information found in the filesystem (like keys, logs, error dumps) to break the encryption or pivot to other connected hospital systems.
Risk of ransomware, tampering, or even endangering patient lives
The vulnerability scored a CVSS base rating of 8.8 (high severity).
References:
- CISA Advisory: https://www.cisa.gov/news-events/ics-advisories/icsma-22-040-02
- NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-22766
According to BD’s official advisory
> "BD has provided security patches to mitigate CVE-2022-22766. Affected customers must apply these patches as soon as possible. Physical device access and network security controls are essential mitigations."
If you use these devices, contact your BD representative or visit the BD Product Security Center for update instructions.
Final Takeaway
CVE-2022-22766 is a strong lesson: even the most trusted healthcare technology brands can make basic security mistakes with dangerous consequences. Hardcoded credentials are a recipe for disaster, especially in systems that handle vital, private information.
Original References, Further Reading
- BD Security Bulletin
- CISA ICS Advisory
- NIST NVD Entry
*(This article is for educational purposes only. Healthcare admins must follow official guidance and never attempt unauthorized access or exploitation.)*
Timeline
Published on: 02/11/2022 19:15:00 UTC
Last modified on: 05/11/2022 14:59:00 UTC