Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots.

GE Radiology Vulnerability

Vedere Labs Team (formerly CyberMDX) Discovers Vulnerability in GE LightSpeed, Revolution, and other CT, MRI, and X-Ray imaging systems


CISA Advisory (ICSMA-20-343-01)


MDhex-Ray Background

MDhex-Ray is a vulnerability discovered by Vedere Labs (formerly CyberMDX) and published by CISA on the 8th of December 2020 as CVE-2020-25179. MDhex-Ray affects a long list of CT, X-Ray, and MRI imaging systems manufactured by GE Healthcare.

Successfully exploiting the vulnerability may expose sensitive data – such as PHI – or could allow the attacker to run arbitrary code, which might impact the availability of the system and allow manipulation of PHI.

The profound potential impact of these vulnerabilities coupled with the relative ease of exploitation is what makes them so critical in score. Immediately upon discovering the flaw in May 2020, CyberMDX has contacted GE Healthcare to report the issue and both organizations are working together to resolve it.

More than 100 devices are affected by this vulnerability across the following product lines:

Modality Product Families
MRI Signa, Brivo, Optima
Ultrasound LOGIQ, Vivid, EchoPAC, Image Vault, Voluson
Advanced Visualization AW
Interventional Innova, Optima
X-Ray Brivo, Definium, AMX, Discovery, Optima, Precision
Mammography Seno, Senographe Pristina
Computed Tomography BrightSpeed, Brivo, Discovery, LightSpeed, Optima, Revolution, Frontier
Nuclear Medicine, PET/CT Brivo, Discovery, Infinia Optima, Ventri, Xeleris, PET Discovery, PETtrace


GE Management Software Vulnerability (CVE-2020-25179)

Risk Level: A maximum severity score of 9.8 has been assigned to this vulnerability. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Date Reported: May, 2020
CISA Advisory date: December 8, 2020


Vulnerability Details

Default credentials used on GE proprietary management software

The affected modalities have an integrated PC running a Unix-based operating system. On top of its operating system, the modalities have proprietary software installed that manages the device as well as its maintenance and update procedures done by GE from the internet.

The update and maintenance software authenticates connections by using credentials that are publicly exposed (can be found online) and does so periodically with GE’s online maintenance servers.

The credentials can only be updated by the GE Healthcare Support team. If not updated through a customer request – credentials are left default.

Having HDOs not aware of the existence of those credentials or the nature of the maintenance mechanism, we found those modalities to lack restrictions on maintenance communication with entities other than GE servers.


Mitigations and Recommendations

Contact GE Healthcare and request credentials change on all affected devices in your facility. Note – the credentials change can ONLY be performed by the GE Healthcare Support team. Customers do not have the ability to change them at this time.

GE Healthcare plans to provide patches and additional security information about this vulnerability for affected users. Please check their website for more information or reach out to the vendor directly.

Additionally, you should implement a network policy that restricts the following ports for the affected devices to be available only for GE maintenance servers:

  • FTP (port 21) – used by the modality to obtain executable files from the maintenance server
  • SSH (port 22)
  • Telnet (port 23) – used by the maintenance server to run shell commands on the modality
  • REXEC (port 512) – used by the maintenance server to run shell commands on the modality




Elad Luz, Head of Research at CyberMDX, a Forescout Company
Lior Bar Yosef, Cyber Security Analyst

Forescout Products

Get the capabilities you need to build a tailored security solution for your digital terrain
and continuously automate actions to reduce cyber risk.


Assess Your Risk: Finding Vulnerable Devices



Identify Attacks: Detecting Ongoing Exploits



Protect Your Organization: Segmenting the Network

Demo RequestForescout PlatformTop of Page