CVE-2022-40263: BD Totalys™ MultiProcessor-Hardcoded Credentials

CVE-2022-40263 - BD Totalys™ MultiProcessor, versions 1.70 and earlier, contain hardcoded credentials. If exploited, threat actors may be able to access, modify or delete sensitive information, including electronic protected health information (ePHI), protected health information (PHI) and personally identifiable information (PII). Customers using BD Totalys™ MultiProcessor version 1.70 with Microsoft Windows 10 have additional operating system hardening configurations which increase the attack complexity required to exploit this vulnerability.

The BD Totalys™ MultiProcessor combines full automation of the cell enrichment process for cervical samples, continuous chain of custody and customizable aliquots for ancillary testing. The system’s hardcoded credentials are not used directly by customers or end-users to access the system. To exploit this vulnerability, a threat actor would need physical or network access to the system and would need to bypass additional security controls.

There have been no reports of this vulnerability being exploited in any setting including clinical settings.