Vulnerability Identified in Philips Ultrasound Systems

Philips found an authentication bypass issue affecting Philips Ultrasound Systems. An attacker can potentially manipulate this problem to access or modify data. The vulnerability is set off by the existence of an optional path or way that could be used to elude authentication controls.

The vulnerability is labeled as CVE-2020-14477. This is considered as low severity vulnerability with a 3.6 out of 10 designated CVSS v3 base score. An attacker could exploit the vulnerability if there is local access to a vulnerable system. It’s not possible to exploit the vulnerability remotely. Additionally, there’s no risk to patient safety in case of exploitation of this vulnerability.

The following Philips Ultrasound Systems are affected by vulnerability CVE-2020-14477:

  • Ultrasound Sparq Version 3.0.2 and prior versions
  • Ultrasound Xperius all versions
  • Ultrasound ClearVue Versions 3.2 and prior versions
  • Ultrasound CX Versions 5.0.2 and prior versions
  • Ultrasound EPIQ/Affiniti Versions VM5.0 and prior versions

The vulnerability has been resolved for the Ultrasound EPIQ/Affiniti systems VM6.0 release. Users who have these systems must contact their Philips support agent for additional details on installation updates.

Users of other affected systems need to wait for the release of an update in the fourth quarter of 2020. Philips will take care of the vulnerability in Ultrasound ClearVue Version 3.3, Ultrasound CX Version 5.0.3, and Ultrasound Sparq Version 3.0.3 in the fourth quarter of 2020.

For now, as an interim safety precaution, Philips advises users to ask their service providers to take a look at device integrity whenever completing service and repair procedures. It is also advisable to enforce physical security procedures to keep unauthorized individuals from getting access to the devices.

About Christine Garcia 1297 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at