Assessment
CFSE Consequence Paths assesses Baxter Sigma Spectrum WBM - cleartext Wi-Fi credentials and PHI at HIGH — the worst of 2 risk paths (authority and privacy). The dominant consequence is not immediate pump control; it is that one unwiped WBM can expose reusable hospital Wi-Fi credentials, turning a physical data-extraction issue into a network-access and credential-rotation problem.
Vulnerability
CVE-2022-26390 covers cleartext storage of network credentials and, for Spectrum IQ deployments using auto programming, PHI on the Wireless Battery Module (WBM). The attacker needs physical possession of a device that has not had data and settings erased. Related Baxter WBM findings, such as the format-string and unauthenticated reconfiguration CVEs, are not scored in this entry.
Where Paths differs from CVSS
CVSS scores the declared CVE narrowly: physical access, high attack complexity, confidentiality impact, no integrity or availability impact. That produces 4.2 Medium.
The Paths model agrees that the direct data-read path is local and bounded. The disagreement is about what the extracted data is. If the WBM contains a still-valid organization Wi-Fi credential, the harm is not only “someone read data from one discarded battery.” It can become a portable credential for hospital network access, with recovery requiring shared wireless credential rotation across the affected environment. That reusable-authority consequence is not represented by the CVSS C:H/I:N/A:N vector.
This entry should be read with that condition explicit: the Paths uplift depends on shared or reusable Wi-Fi credentials remaining valid. If a deployment uses per-device credentials, short credential lifetime, and confirmed wipe before decommissioning, the ACCOUNT_AUTHORITY path should be reduced.
CFSE Consequence Paths analysis
The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.
ACCOUNT_AUTHORITY → HIGH
CPATH:1.0-candidate/TT:ACCOUNT_AUTHORITY/RE:1/EC:4/EX:1/PH:2/DP:3/AT:2/CH:4/SR:4/SX:3/OR:3/EV:3/LS:PATCH_AVAILABLE
Exposure EX=1 (reachability-bound) · bands PH=ELEVATED · DP=HIGH · AT=ELEVATED → base HIGH · caps low-exposure cap → assessed HIGH.
The terminal consequence is the stored Wi-Fi credential. RE:1 because the attacker needs physical possession of an unwiped WBM. EC:4 because, once the issue is known and the device is in hand, extracting the cleartext credential is straightforward. AT:2 because the credential grants bounded hospital wireless-network access, not pump admin or firmware authority. DP:3 because credentials and PHI are sensitive operational/health data. CH:4 because a device-local secret can become a bridge into the hospital network. SR:4/SX:3 apply when the credential is shared or reusable across a deployment: one recovered/resold device can expose access useful beyond that one unit. OR:3 because recovery may require network-wide credential rotation plus decommissioning hygiene, not just patching a single pump. EV:3 because Rapid7 reproduced the issue on hardware.
DATA_PRIVACY → HIGH
CPATH:1.0-candidate/TT:DATA_PRIVACY/RE:1/EC:4/EX:1/PH:0/DP:3/AT:1/CH:2/SR:2/SX:1/OR:2/EV:3/LS:PATCH_AVAILABLE
Exposure EX=1 (reachability-bound) · bands PH=MONITOR · DP=HIGH · AT=ELEVATED → base HIGH · caps low-exposure cap, privacy-only cap → assessed HIGH.
This is the part CVSS mostly captures. RE:1 requires physical possession of an unwiped, lost, decommissioned, or resold device. EC:4 once the device is in hand. DP:3 because PHI is health-sensitive data at rest. AT:1 because this path is read-only exposure, not configuration or firmware authority. PH:0 because the PHI read does not itself create a safety effect. CH:2 because it crosses a device-to-data boundary but the PHI itself is not a reusable authority bridge. SR:2/SX:1 because PHI is largely per-device/per-patient rather than fleet-portable. OR:2 because mitigation is wipe-before-decommission guidance plus software/process remediation. EV:3 because Rapid7 reproduced the issue on hardware.
Published baseline
- v3.1 4.2 MEDIUM —
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N — Baxter/Product Security via NVD / NVD
The published baseline above is retained for source review. The registry records the reachable consequence path, including deployment-specific cyber-physical consequence, physical/safety impact, scale, and recovery burden.
Sources