25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Maximum Severity Vulnerability Identified in Baxter Connex Health Portal

Posted By on Sep 10, 2024

Two vulnerabilities have been identified in the Baxter Connex Health Portal that, if exploited, could lead to the remote injection of malicious code, the shutdown of the database services, and unauthorized access, modification, and deletion of data from the database.

The most serious flaw is an SQL injection vulnerability due to the improper sanitization of values of certain parameters. The vulnerability is tracked as CVE-2024-6795 and has been assigned a maximum CVSS (v3.1) severity score of 10. The vulnerability can be exploited remotely in a low-complexity attack allowing an attacker to run arbitrary SQL queries, access, modify, and delete sensitive data, and/or perform administrative operations including shutting down the database.

The second issue is a high-severity improper access control vulnerability – CVE-2024-6796 – that can be exploited to access sensitive patient and clinician information and could also allow the modification or deletion of clinic details. The vulnerability has been assigned a CVSS score of 8.2.

Both vulnerabilities were reported to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) by Baxter. Baxter said the vulnerabilities do not appear to have been exploited in the wild and no personal or health data is believed to have been compromised. Baxter said the vulnerabilities were patched when discovered and no user actions are required.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Actions that can be taken to reduce the risk of vulnerability exploitation include minimizing network exposure by ensuring control system devices and systems are not accessible via the Internet, locating control system networks and devices behind firewalls and isolating them from business networks, and using secure methods when remote access is required, such as Virtual Private Networks (VPNs).

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist