Security Advisory for Axeda Access:7 vulnerabilities
2022 April 6 (last updated 2022 May 6)
CVE-2022-25246, CVE-2022-25247, CVE-2022-25248, CVE-2022-25249, CVE-2022-25250, CVE-2022-25251, CVE-2022-25252
Background
Leica Biosystems has been notified of 7 vulnerabilities associated with a remote access solution produced by Axeda, collectively known as Access:7. In 2014 PTC acquired Axeda and the Axeda software was later phased out by the end of 2020.
Leica Biosystems has reviewed our products and identified a Leica Biosystems service that impacts multiple Leica Biosystems products. The service was called RemoteCare and is no longer distributed or supported. RemoteCare used part of the Axeda software containing some of the vulnerabilities listed in Access:7. When RemoteCare service was discontinued on 31st December 2020, the Axeda software was no longer necessary, however in some circumstances it may not have been removed or disabled completely. Where the software remained, the product could be at risk.
Product Status
Product |
Status Regarding Access:7 |
Recommendations and Comments |
---|---|---|
Aperio AT2 (DX) |
Not Vulnerable |
Axeda software is not present. |
Aperio CS2 |
Not Vulnerable |
Axeda software is not present. |
Aperio eSlide Manager |
Not Vulnerable |
Axeda software is not present. |
Aperio GT 450 (DX) |
Not Vulnerable |
Axeda software is not present. |
Aperio ImageScope (DX) |
Not Vulnerable |
Axeda software is not present. |
Aperio LV1 |
Not Vulnerable |
Axeda software is not present. |
Aperio Scanner Administration Manager (SAM) Server for GT 450 (DX) |
Not Vulnerable |
Axeda software is not present. |
Aperio VERSA |
Not Vulnerable |
Axeda software is not present. |
Aperio WebViewer DX |
Not Vulnerable |
Axeda software is not present. |
BOND-ADVANCE, BOND Controller |
Potentially Vulnerable |
Axeda software used by RemoteCare was not preinstalled by default. Only customers who purchased the RemoteCare service and had the Axeda software installed on the BOND Controller are impacted. If you have not previously purchased the RemoteCare service, then you are not vulnerable, and no further action is necessary. |
BOND-III |
Not Vulnerable |
Axeda software is not present. |
BOND-MAX |
Not Vulnerable |
Axeda software is not present. |
BOND RX, BOND RXm |
Not Vulnerable |
Axeda software is not present. |
CEREBRO |
Potentially Vulnerable |
Axeda software used by RemoteCare was not preinstalled by default. Only customers who opted to use RemoteCare service instead of using their own remote support solution had the Axeda software installed on the CEREBRO server and workstations. If you have not opted to use the RemoteCare service for remote support, then you are not vulnerable, and no further action is necessary. If you are not sure, you can contact a local Leica Biosystems service center to have a Leica representative check if RemoteCare has been installed or not. |
CytoVision |
Not Vulnerable |
Axeda software is not present. |
HistoCore Arcadia C |
Not Vulnerable |
Axeda software is not present. |
HistoCore Arcadia H |
Not Vulnerable |
Axeda software is not present. |
HistoCore PEARL |
Potentially Vulnerable |
The Axeda software used in RemoteCare is installed but disabled by default. |
HistoCore PEGASUS (PLUS) |
Not Vulnerable |
Axeda software is not present. |
HistoCore PELORIS 3 |
Potentially Vulnerable |
Axeda software used by RemoteCare was not preinstalled by default. If you have previously purchased RemoteCare, then the Axeda software will have been installed and enabled, in which case your system could be vulnerable to malicious persons or malware with access to the same network the instrument is connected to. |
HistoCore SPECTRA CV |
Not Vulnerable |
Axeda software is not present. |
HistoCore SPECTRA ST |
Potentially Vulnerable |
The Axeda software used in RemoteCare is installed and enabled by default even when RemoteCare was not purchased. |
HistoCore SPIRIT ST |
Not Vulnerable |
Axeda software is not present. |
HistoCore SPRING ST |
Not Vulnerable |
Axeda software is not present. |
Leica ASP200 (S), |
Potentially Vulnerable |
The Axeda software used in RemoteCare is installed and enabled by default even when RemoteCare was not purchased. |
Leica ASP6025 (S) |
Potentially Vulnerable |
The Axeda software used in RemoteCare is installed and enabled by default even when RemoteCare was not purchased. |
Leica CV5030 |
Not Vulnerable |
Axeda software is not present. |
Leica IP C |
Not Vulnerable |
Axeda software is not present. |
Leica IP S |
Not Vulnerable |
Axeda software is not present. |
Leica ST4020 |
Not Vulnerable |
Axeda software is not present. |
Leica ST5010 |
Not Vulnerable |
Axeda software is not present. |
Leica ST5020 |
Not Vulnerable |
Axeda software is not present. |
Leica TP1020 |
Not Vulnerable |
Axeda software is not present. |
PELORIS, PELORIS II |
Potentially Vulnerable |
The Axeda software used in RemoteCare is installed but disabled by default. |
LIS Connect |
Not Vulnerable |
Axeda software is not present. |
PathDX |
Not Vulnerable |
Axeda software is not present. |
ThermoBrite Elite |
Not Vulnerable |
Axeda software is not present. |
Disclaimer
The information on this site is based on information Leica Biosystems has been able to gather as of the date of this update. The information is intended to help customers address the situation described herein. Leica Biosystems evaluates risk based on common use of our devices or systems, and our evaluation may not represent the actual risk to your local installation and individual environment. It is recommended that all users determine the applicability of this information to their individual environments and take appropriate actions.
This information is provided "as is" and does not offer or imply any kind of guarantee or warranty. Leica Biosystems expressly disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Leica Biosystems or its affiliates be liable for any damages whatsoever arising from or related to the information contained herein or actions that you decide to take based thereon, including any direct, indirect, incidental, consequential, loss of business profits or special damages, even if Leica Biosystems or its affiliates have been advised of the possibility of such damages.
Your use of the information on the document is at your own risk. Leica Biosystems reserves the right to change or update this document at any time.