Updated: 17 January 2023
Products Covered: Spacelabs Patient Monitoring Products
Security Advisory
Axeda “Access:7” Vulnerability Assessment and Potential Product Impact Statement
- Vulnerability Overview
Spacelabs Healthcare has been made aware of recently published security vulnerabilities within Axeda support software collectively known as “Access:7”. Exploitation of these vulnerabilities could result in full system access, remote code execution, read/change configuration, file system read access, log information access, or a denial-of-service condition for affected products using Axeda agent or Axeda Desktop Server.
The Axeda agent and Axeda Desktop Server are remote access solutions that allow one or more people to securely view and operate the same remote desktop, typically through the Internet. The Axeda agent and Desktop Server are developed and supported by the computer software company, PTC.
- Risk Assessment Summary
Successful exploitation of this vulnerability could allow an unauthorized attacker to take full control of the host operating system, resulting in full system access, remote code execution, read/change configuration, file system read access, log information access, and a denial-of-service condition. Depending on its use in the medical device, these vulnerabilities could result in changes to the operation of the medical device and impact the availability of the remote support functionality.
The Axeda agent has been removed from Xhibit v1.5.1 software and from ICS v5.6.0. These products will not have the Axeda agent included in any future builds.
As Spacelabs continue to gain a deeper understanding of the impact of this vulnerability, we will continue to publish technical information to help customers detect, investigate, and mitigate the vulnerability across all our products where applicable.
- Recommendations
Spacelabs is reviewing the PTC recommendations.
- Examination of Spacelabs products
4.1 Assessment of Spacelabs Products
In response to the publication of these vulnerabilities, Spacelabs has conducted an assessment to identify devices potentially at risk to this set of vulnerabilities. Please note information is subject to change as the situation evolves.
Patient Monitoring and Connectivity (PMC) Products
Product | Host Operating System | Impact Assessment |
XprezzNet 96190 | Windows Server 2008 Windows Server 2012 R2 Windows Server 2016 |
Not impacted. |
Intesys Clinical Suite (ICS) | Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 |
Axeda was removed from ICS v5.6.0 and will not be included in any future builds. |
Intesys Clinical Suite (ICS) Clinical Access Workstations | Windows 8.1 Windows 10 |
Not impacted. |
Xhibit Telemetry Receiver (XTR) 96280 | Windows Embedded Standard 7 SP1
Windows 10 IoT Enterprise Version 1809 |
Not impacted. |
Xhibit 96102 / XC4 96501 | Windows Embedded Standard 7 SP1
Windows 10 IoT Enterprise Version 1809 |
Axeda was removed from Xhibit v1.5.1 and will not be included in future builds. |
Bedside Monitors – Xprezzon 91393 – Qube 91390 – Qube Mini 91389 – Ultraview SL 91367, 91369, 91370, and 91387 |
VxWorks 6.6 | Not impacted. |
DM3, DM4 monitors | Windows CE | Not impacted. |
Diagnostic Cardiology (DC) Products
Product | Host Operating System | Impact Assessment |
Sentinel | Windows 7 Windows 10 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 |
Not impacted. |
Pathfinder SL | Windows 7
Windows 10 |
Not impacted. |
Lifescreen Pro | Windows 10 | Not impacted. |
Lifecard CF | No OS | Not impacted. |
EVO | No OS | Not impacted. |
Eclipse Pro | No OS | Not impacted. |
CardioExpress SL6A / SL12A | Embedded OS (uC/OS II V2.84) | Not impacted. |
CardioExpress SL18A | Embedded OS (Linux Kernel 2.6.35.3) | Not impacted. |
ABP OnTrak 90217A 90207 |
No OS | Not impacted. |
Safe-N-Sound (SNS)
Product | Host Operating System | Impact Assessment |
Spacelabs Cloud | Varies | Not impacted. |
SafeNSound | Not applicable | Not impacted. |
- Additional Resources
# | Resource | URL |
1 | PTC Article CS363561. Security vulnerabilities identified in the Axeda agent and Axeda Desktop Server | https://www.ptc.com/en/support/article/CS363561 |
2 | CISA ICS Advisory on “Access:7” Vulnerabilities | https://www.cisa.gov/uscert/ics/advisories/icsa-22-067-01 |
3 | FDA Cybersecurity Alert on PTC Axeda Agent and Axeda Server | https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity |
Terms of Use
The information presented above is subject to change without notice. In no event will Spacelabs or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, even if Spacelabs or its suppliers have been advised of the possibility of such damages.
Related Resources:
- CVE-2022-25249
- CVE-2022-25250
- CVE-2022-25251
- CVE-2022-25246
- CVE-2022-25248
- CVE-2022-25247
- CVE-2022-25252