Two critical vulnerabilities have been discovered in the Baxter Connex Health Portal, posing significant risks to data integrity and system functionality. The first vulnerability, CVE-2024-6795, is an SQL injection flaw caused by improper sanitization of input parameters. This issue allows attackers to inject arbitrary SQL queries, enabling unauthorized data access, modification, and deletion, and even allowing administrative actions like shutting down database services. With a maximum CVSS score of 10, this vulnerability ranks as a severe security concern.
The second flaw, CVE-2024-6796, involves improper access control, enabling unauthorized access to sensitive patient and clinician information. This vulnerability also allows the modification or deletion of clinic records, further compromising healthcare service integrity. It has received a CVSS severity score of 8.2, indicating high risk. Both issues could be exploited remotely with low attack complexity, making them attractive targets for potential attackers.
Baxter promptly reported these vulnerabilities to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and implemented patches upon discovery. The company confirmed that no personal or health data has been compromised, and there is no evidence of exploitation in the wild. Additionally, no action is required from users, as the security patches have already been applied.
To mitigate potential risks, organizations using similar systems are advised to minimize network exposure, isolate critical devices behind firewalls, and ensure secure remote access through Virtual Private Networks (VPNs). These measures can reduce the likelihood of successful cyberattacks targeting sensitive healthcare infrastructure. The incident underscores the importance of proactive vulnerability management and robust cybersecurity defenses in healthcare technology environments.
Reference:
