Baxter reports two critical vulnerabilities in Connex Health Portal

Baxter has disclosed two critical vulnerabilities in its Connex Health Portal software, which have been tracked as CVE-2024-6795 and CVE-2024-6796.

The Baxter Connex Health Portal is a software platform designed to enhance patient care by providing comprehensive management and monitoring of health data. It allows healthcare providers to access, manage, and monitor patient information remotely, including vital signs, medical histories, and other relevant health data, to improve clinical decision-making and patient outcomes.

• CVE-2024-6795 (CVSS score 10) is an SQL Injection vulnerability that allows a remote, unauthenticated attacker to execute arbitrary SQL commands due to improper neutralization of special elements in SQL queries. This could result in malicious code injection, modification, or deletion of sensitive data, and even shutdown of the database service.

• CVE-2024-6796 (CVSS score 8.2) is an Improper Access Control vulnerability that could enable an unauthorized user to access, modify, or delete sensitive patient and clinician information due to inadequate access restrictions.

Successful exploitation could allow attackers to:

• Inject malicious code.
• Shutdown database services.
• Access, modify, or delete sensitive data.

Affected products are all versions of Baxter Connex Health Portal prior to August 30, 2024

Baxter has patched these vulnerabilities, and no further user action is required at this time. Baxter is unaware of any exploitation of these vulnerabilities and/or the compromise of personal or health data.