Agilia Connect (infusion system)

2021: US government warns of light hacking of Fresenius infusion systems

In mid-December 2021, the US Cybersecurity and Infrastructure Protection Agency (CISA) warned of the possibility of easy hacking of Agilia Connect infusion systems from Fresenius Kabi.

The Agilia Connect infusion system was recognized by the agency as a device that is easily susceptible to hacking. Successfully exploiting system vulnerabilities can allow an attacker to access sensitive information, change system settings or settings, and perform arbitrary actions as an authenticated user.

US government warns of light hacking of Fresenius Agilia Connect infusion systems

The vulnerabilities highlighted by CISA include:

• uncontrolled consumption of resources;
• use of a broken or dangerous cryptographic algorithm;
• Low security credentials;
• improper access control;
• storing the password in open form;
• Files or directories are available to external parties
• disclosure through a list of catalogs;
• intersite scripting.

Affected products include the Agilia Connect WiFi module for pumps vD25 and previously released versions: Agilia Link + V3.0 D15, Vigilant Software Suite v1.0: Vigilant Centerium, Vigilant MasterMed and Vigilant Insight, as well as Agilia Partner maintenance software version 3.3.0.

The company also determined that the first Link + devices (approximately 1,200 units) will require replacement of equipment to support D16 firmware (new version) or later. Until these devices are replaced, the company should follow CISA guidelines, Fresenius Kabi said. The agency recommends that Fresenius Kab minimize network vulnerability for all devices and/or management systems and ensure that they are not accessible from the Internet. If you need remote access to devices, the agency recommends using secure methods, such as virtual private networks (VPN ), making sure that they are also safe.^[1]

Notes