The FDA is alerting medical device users and manufacturers about a cybersecurity vulnerability identified for the Axeda agent and Axeda Desktop Server. The agent and desktop server are used in numerous medical devices across several medical device manufacturers and all versions of Axeda agent and Axeda Desktop Server are affected. On March 8, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory, ICSA-22-067-01, on these vulnerabilities.
The Axeda agent and Axeda Desktop Server are web-based technologies that allow one or more people to securely view and operate the same remote desktop, through the Internet. The Axeda agent and desktop server are owned and supported by the computer software company, PTC.
Successful exploitation of this vulnerability could allow an unauthorized attacker to take full control of the host operating system, resulting in full system access, remote code execution, read/change configuration, file system read access, log information access, and a denial-of-service condition. Depending on its use in the medical device, these vulnerabilities could result in changes to the operation of the medical device and impact the availability of the remote support functionality.
To mitigate the cybersecurity vulnerability, PTC recommends that affected manufacturers:
- Upgrade to Axeda agent Version 6.9.2 build 1049 or 6.9.3 build 1051 when running older versions of the Axeda agent.
- Configure Axeda agent and Axeda Desktop Server to only listen on the local host interface 127.0.0.1.
- Provide a unique password in the AxedaDesktop.ini file for each unit.
- Never use ERemoteServer in production.
- Make sure to delete ERemoteServer file from host device.
- Remove the installation file.
- When running in Windows or Linux, only allow connections to ERemoteServer from trusted hosts and block all others.
- When running the Windows operating system, configure Localhost communications (127.0.0.1) between ERemoteServer and Axeda Builder.
- Configure the Axeda agent for the authentication information required to log in to the Axeda Deployment Utility.
Upgrade the Axeda Desktop Server to Version 6.9 build 215. The Axeda agent loopback-only configuration is only available in Version 6.9.1 and above. Upgrading to Axeda agent 6.9.1 or above is required.
For additional questions about this vulnerability, medical device manufacturers should reach out to PTC.
Users of affected medical devices should contact the associated medical device manufacturer(s) to understand the potential impacts of these vulnerabilities to specific medical devices and follow the associated medical device manufacturer's suggested mitigations.
All legally-marketed medical devices have benefits and risks. The FDA clears, authorizes, and approves devices to be marketed when there is a reasonable assurance that the devices are safe and effective for their intended use.
Medical devices are increasingly connected to the Internet, hospital networks, and other medical devices to provide features that improve health care and increase the ability of health care providers to treat patients. These same features also increase potential cybersecurity risks. Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.
Threats and vulnerabilities cannot be eliminated and reducing cybersecurity risks is especially challenging. The health care environment is complex, and manufacturers, hospitals, and facilities must work together to manage cybersecurity risks.