CVE-2020-12037

Name of the Vulnerable Software and Affected Versions Baxter PrismaFlex all versions PrisMax versions prior to 3.x

Description The affected devices do not implement data-in-transit encryption, such as TLS/SSL, when sending treatment data to a Patient Data Management System (PDMS) or an Electronic Medical Record (EMR) system. This allows an attacker to observe sensitive data sent from the device.

Recommendations For Baxter PrismaFlex all versions: Consider configuring the device to use data-in-transit encryption, such as TLS/SSL, when sending treatment data to a PDMS or EMR system. For PrisMax versions prior to 3.x: Update to version 3.x or later, which is expected to include data-in-transit encryption, such as TLS/SSL, when sending treatment data to a PDMS or EMR system. As a temporary workaround, consider restricting access to the device's communication interface to minimize the risk of exploitation.