

BD Alaris 8015 — CVE-2016-9355 Analysis
Graduate research project for CY 7790 / CY 4973 (Medical Device Security) at Northeastern University. The primary vulnerability under analysis was CVE-2016-9355: unauthenticated access to sensitive configuration data on the BD Alaris 8015 Point of Care (PC) Unit — a widely deployed intravenous infusion pump used in ICUs and hospitals across the United States. The device's embedded web server exposed drug library files, audit logs, and device configuration data to any unauthenticated user on the hospital network.
This vulnerability maps to CWE-312 (Cleartext Storage of Sensitive Information) and CWE-200 (Exposure of Sensitive Information). In a medical context, the impact extends beyond data confidentiality — an attacker with access to drug library files could potentially manipulate dosage parameters prior to infusion, with life-safety consequences.
New finding: During analysis, a previously undocumented vulnerability was confirmed — CWE-798 (Use of Hard-Coded Credentials). Default administrative credentials for the device's management interface were found hardcoded in the firmware, present across the entire installed base and not resettable by end users. This was documented alongside the primary CVE chain.
Deliverables Produced
- - Full vulnerability analysis report
- - STRIDE threat model
- - Data Flow Diagram (DFD) — SVG
- - CVSS v3.1 scoring (primary + new finding)
- - Exploit chain documentation
- - Credential XML sample analysis
- - HTML presentation site
- - Speaker notes package
- - Remediation guidance (short-term & long-term)

Year
2025 – 2026
Course
CY 7790 / CY 4973
Institution
Northeastern University
CVE
CVE-2016-9355
New Finding
CWE-798 Confirmed
Vulnerability Analysis
Primary chain — CVE-2016-9355 (CWE-312 / CWE-200): The BD Alaris 8015 web server (accessible on the hospital LAN) served drug library XML files and device configuration data over HTTP with no authentication gate. An attacker with network access — patient, visitor, or insider — could enumerate endpoints and retrieve sensitive configuration data without credentials. CVSS v3.1 base score: 7.5 (High). Attack vector: Network. Attack complexity: Low. No privileges required. No user interaction.
New finding — CWE-798 (Hardcoded Credentials): Analysis of the device's administrative interface revealed hardcoded default credentials present in the firmware across the installed base. Unlike a weak default password, hardcoded credentials cannot be changed by hospital IT staff, leaving every deployed unit with a static, known authentication bypass. CVSS v3.1 base score: 8.6 (High). Combined with CVE-2016-9355, the exploit chain allows unauthenticated access to device configuration followed by authenticated administrative control.
STRIDE analysis: Threat modeling covered all six STRIDE categories against the device's network-facing attack surface, its drug library management subsystem, and its physical interface. Spoofing threats included credential replay; Tampering threats covered drug library XML modification prior to upload; Repudiation gaps were identified in the audit log access controls; Information Disclosure was the primary CVE vector; Denial of Service via resource exhaustion on the embedded web server was documented; and Elevation of Privilege through the hardcoded credential chain was the new finding.
Remediation: Short-term: network segmentation (VLAN isolation of infusion pump network), firewall rules restricting unauthenticated web server access, and credential rotation where supported. Long-term: firmware update mandating authentication for all web server endpoints, removal of hardcoded credentials, and implementation of mutual TLS for all device communications — aligned with FDA postmarket cybersecurity guidance and IEC 62443-4-2.

Frameworks
STRIDE / CVSS v3.1
Standards
IEC 62443 / FDA Guidance
Approach & Methodology
The analysis followed a structured medical device security methodology grounded in FDA postmarket cybersecurity guidance and IEC 62443 principles. The DFD was constructed from publicly available device documentation, network traffic analysis references, and the vulnerability advisory — mapping all trust boundaries, data flows, and external entities relevant to the attack surface.
CVSS v3.1 scoring was applied independently to both the primary CVE and the new CWE-798 finding, with explicit justification for each metric selection. The exploit chain was documented step by step: network access → unauthenticated endpoint enumeration → drug library retrieval (CVE-2016-9355) → hardcoded credential authentication (CWE-798) → administrative control.
The project also involved analysis of credential XML sample files extracted from the advisory, examining the structure and security properties of the device's configuration format — identifying fields that represent exploitable data and informing the CWE-798 documentation.
