The U.S. Food and Drug Administration (FDA) has issued an alert to medical device manufacturers and users regarding a cybersecurity vulnerability identified in connection with a widely used web-based software technology.
The FDA alert follows an advisory issued by the federal Cybersecurity and Infrastructure Security Agency (CISA) that identified several specific areas of vulnerability to cyberattacks related to the use of Axeda agent and Axeda Desktop Server. The Axeda agent and Axeda Desktop Server are remote connectivity software applications used to allow multiple parties to securely view and operate the same remote desktop through the Internet and are reportedly used in connection with numerous medical devices across several different device manufacturers.
The specific vulnerabilities in the Axeda software identified in the CISA advisory include:
- Use of hard-coded credentials
- Missing authentication for critical functions
- Exposure of sensitive information to unauthorized parties
- Improper check or handling of exceptions conditions
According to the FDA Cybersecurity Alert, PTC (the company that owns and supports the Axeda agent and Axeda Desktop Server) recommends that manufacturers whose devices utilize the software take several specific steps to mitigate the cyber vulnerability risk, including upgrading to the latest version of the Axeda agent and providing a unique password for each unit running the Axeda Desktop Server.