CVE-2020-12036

Name of the Vulnerable Software and Affected Versions Baxter PrismaFlex all versions PrisMax versions prior to 3.x

Description The affected devices do not implement data-in-transit encryption, such as TLS/SSL, when sending treatment data to a Patient Data Management System (PDMS) or an Electronic Medical Record (EMR) system. This allows an attacker to observe sensitive data sent from the device.

Recommendations For Baxter PrismaFlex all versions, consider configuring the device to use data-in-transit encryption, such as TLS/SSL, when sending treatment data to a PDMS or EMR system. For PrisMax versions prior to 3.x, update to version 3.x or later, which is expected to include the necessary encryption implementation. As a temporary workaround, consider restricting access to the network where the devices are connected to minimize the risk of exploitation.