Vulnerabilities in Fresenius Kabi Agilia Connect Infusion System
Vulnerabilities in Fresenius Kabi Agilia Connect Infusion System products could be exploited to allow an attacker to modify settings, access sensitive information, and perform arbitrary actions.
Summary
Vulnerabilities in Fresenius Kabi Agilia Connect Infusion System products could be exploited to allow an attacker to modify settings, access sensitive information, and perform arbitrary actions.
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
CISA has released an ICS Medical Advisory (ICSMA-21-355-01) relating to vulnerabilities in Fresenius Kabi Agilia Connect Infusion System. Agilia Connect Infusion System enables users to control a range of Agilia infusion pumps, providing users the with tools to remotely configure and update infusion pumps via the Fresenius Kabi Centerium server.
The advisory provides details of 13 vulnerabilities, across a range of Agilia Connect Infusion System products - Agilia Connect WiFi module (vD25 and prior), Agilia Link+, Vigilant Software Suite v1.0, and Agilia Partner maintenance software. If successfully exploited, these vulnerabilities could allow an attacker to gain access to sensitive information, modify settings and parameters, or perform arbitrary actions as an authenticated user.
Threat updates
| Date | Update |
|---|---|
| 4 Feb 2022 |
Update A from CISA ICS Medical Advisory (ICSMA-21-355-01)
Fresenius Kabi Agilia Connect Infusion System (Update A) CVSS v3 7.5 Successful exploitation of these vulnerabilities in system accessories could allow an attacker to gain access to sensitive information, modify settings or parameters, or perform arbitrary actions as an authenticated user. According to Fresenius Kabi, the Agilia infusion pump alarm is not impacted by the vulnerabilities described in this advisory. Fresenius Kabi maintains the infusion parameters are preserved, current infusion is not interrupted, and no unacceptable patient risk is identified. Fresenius Kabi also maintains there is no risk of exposure of personally identifiable information (PII) or protected health information (PHI). |
Remediation advice
Affected organisations should review ICS Medical Advisory (ICSMA-21-355-01) Fresenius Kabi Agilia Connect Infusion System and ensure affected products have been updated to the new versions listed below.
- Link+ v3.0 (D16 or later)
- VSS v1.0.3 (or later)
- Agilia Connect Pumps Wifi Module (D29 or later)
- Agilia Connect Partner v3.3.2 (or later)
For further information about updating to these new versions, organisations should contact their suppliers or contact Fresenius Kabi directly.
Please note that Fresenius Kabi has identified that some early Link+ devices would need a hardware change to support D16 or later firmware. Until it is possible to replace these earlier devices, Fresenius Kabi recommends that users should refer to CISA's recommended mitigations described in ICS Medical Advisory (ICSMA-21-355-01), section 4 'Mitigations'.
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 4 February 2022 2:28 pm