Blue Goat Cyber logoBlue Goat CyberSMMedical Device Cybersecurity
    K
    Blog · FDA

    VxWorks Vulnerabilities in Medical Devices

    How MedTech teams should identify, triage, and document VxWorks RTOS vulnerabilities (URGENT/11 and beyond) for FDA Section 524B premarket and postmarket.

    Hero illustration for the FDA article: VxWorks Vulnerabilities in Medical Devices
    Christian Espinosa, Founder & CEO at Blue Goat Cyber

    By Christian Espinosa, MBA, CISSP

    Founder & CEO · Blue Goat Cyber

    Published: March 3, 2024 · Last reviewed: May 1, 2026

    Direct answer

    Manufacturers must identify, triage, and document VxWorks vulnerabilities in medical devices to meet FDA expectations outlined in the February 3, 2026 final guidance and Section 524B. This involves a complete software bill of materials (SBOM), detailed VEX statements, and traceable evidence connecting cybersecurity risks to potential patient harm and essential clinical performance. Proper identification requires both manual analysis and automated tooling to validate reachability and impact, moving beyond generic severity scores.

    VxWorks still shows up across a large share of FDA-regulated devices, including patient monitors, infusion pumps, imaging platforms, and lab analyzers. Since URGENT/11, the FDA has expected manufacturers to know exactly where VxWorks is used, what version is deployed, which vulnerabilities apply, and what evidence supports the risk decision. In 2026, that means a complete SBOM, dated VEX statements, and traceable Section 524B evidence that ties cybersecurity risk to patient harm and essential clinical performance.

    Key Takeaways

    • VxWorks remains prevalent in various FDA-regulated devices.
    • A precise SBOM is foundational for identifying VxWorks exposure.
    • Validate vulnerability reachability and impact on patient safety.
    • Triage must align with FDA Section 524B requirements.
    • Patch vulnerabilities or implement strong compensating controls objectively.
    • Reviewers expect traceable evidence from inventory to risk decisions.

    Table of Contents

    Why this matters

    The FDA's Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions (Feb 3, 2026 final guidance) made cybersecurity documentation a gating criterion for clearance under Section 524B of the FD&C Act. Reviewers now apply this guidance to vxworks vulnerabilities in medical devices the same way they apply software lifecycle expectations from IEC 62304 and security risk-management expectations from AAMI TIR57 and ANSI/AAMI SW96:2023.

    Gaps in this area are the single most common driver of first-cycle cybersecurity Additional Information (AI) requests. The FDA's FY2024 CDRH performance reports show cybersecurity is among the top deficiency categories cited in 510(k) and PMA AI letters, behind only software documentation and clinical evidence. Treating it as a checklist exercise rather than a design-controlled engineering artifact is what creates the gap.

    Why VxWorks Still Demands Attention

    VxWorks, developed by Wind River, is a real-time operating system used in embedded products where timing and reliability matter. In medical devices, that combination is attractive: small footprint, deterministic behavior, support across hardware platforms, and a long history in systems that cannot tolerate unpredictable latency.

    That same footprint creates a persistent security problem. VxWorks is often buried deep in the product stack, inherited from a supplier, or carried forward across multiple product generations. Teams think they are dealing with an application issue when the real exposure sits in the RTOS, middleware, network services, or BSP. That is why the FDA keeps asking for software inventory quality, patch posture, and clear vulnerability disposition instead of generic claims that the device is "secure by design."

    What Makes VxWorks a Recurring Risk

    Several traits make VxWorks a recurring source of regulatory and security work for manufacturers:

    • Long product lifecycles that outlast normal software support windows
    • Third-party integration where the RTOS is not fully visible to the device maker
    • Network-exposed services that may be enabled by default or left undocumented
    • Product variants that share a codebase but differ in deployed components
    • Safety-critical use cases where even a low-probability exploit can have outsized clinical impact

    URGENT/11 made this plain. The issue was not just a set of CVEs. It was that many manufacturers did not know whether the affected components were present, reachable, or mitigated in their shipping devices.

    What VxWorks Vulnerabilities Usually Look Like

    VxWorks flaws are not limited to one class of bug. The common patterns are familiar: memory corruption, privilege escalation, denial of service, authentication weaknesses, and remote code execution tied to exposed services or protocol handling.

    For medical device teams, the practical question is not "Does this RTOS have vulnerabilities?" Of course it does. The real questions are:

    • Which vulnerable component is present in our device?
    • Which version is actually deployed?
    • Is the vulnerable function reachable in our architecture?
    • What exploit conditions exist in the intended use environment?
    • What is the impact on safety, essential performance, and clinical operations?

    Common Vulnerability Categories

    The most common categories include:

    • Buffer and memory handling flaws: These can cause crashes, unstable behavior, or code execution.
    • Privilege escalation issues: An attacker who gains a foothold may move into more trusted execution paths.
    • Remote code execution paths: Often tied to networking stacks, RPC services, web interfaces, or protocol parsers.
    • Denial-of-service conditions: Particularly serious in devices that depend on continuous availability or predictable timing.
    • Configuration weaknesses: Unused but enabled services, default credentials, open debug paths, and insecure update mechanisms.

    Why the Impact Is Different in Medical Devices

    In a consumer product, a crash may be an inconvenience. In a medical device, a crash can interrupt therapy, delay diagnosis, corrupt data, or force fallback to manual procedures. A network-service flaw in an infusion system or bedside monitor is not just an IT issue. It can become a patient safety issue if exploitation degrades availability, integrity, or clinician trust in device output.

    That is why the FDA expects threat modeling and vulnerability assessment to connect directly to harm. You need to show how exploitation could affect safety or essential clinical performance, and what controls reduce that risk to an acceptable level.

    How to Identify VxWorks Exposure in Your Device

    You cannot triage what you have not accurately identified. For VxWorks-based products, identification starts with software inventory discipline, not a scanner screenshot.

    Build the Right Software Inventory First

    Start by confirming:

    • VxWorks version and edition
    • Wind River packages and optional components included
    • Board support package details
    • Enabled network services and listening interfaces
    • Third-party libraries bundled with the image
    • Product variants that inherit the same software stack
    • Supplier-delivered binaries and any customization layers

    This is the foundation for an SBOM that reviewers can trust. If your SBOM omits the RTOS version, middleware, or included services, your downstream VEX and vulnerability analysis will be weak from the start.

    Use Manual Analysis and Tooling Together

    Manual review still matters. Experienced engineers can inspect build artifacts, startup configuration, enabled services, and architecture decisions that automated tools routinely miss. That includes undocumented dependencies, dead code assumptions, and exposure created by integration choices rather than the base RTOS alone.

    Automated tools are still useful, but only when used correctly. SCA platforms, firmware analysis tools, binary composition analysis, and network enumeration can help identify vulnerable components and known CVEs. They also help surface version mismatches between what engineering believes is present and what is actually shipping.

    Use both. Tool output without engineering validation creates noise. Manual review without tooling misses scale.

    Validate Reachability, Not Just Presence

    This is where many teams fail. A CVE match does not automatically mean the device is exploitable. But "not automatically" does not mean "not applicable."

    You need to validate:

    • Whether the vulnerable component is compiled into the product
    • Whether the affected function is enabled and reachable
    • Whether authentication, segmentation, or device workflow meaningfully reduce exploitability
    • Whether a failure or compromise can propagate into a hazardous situation

    That is the difference between real triage and checklist theater.

    Triage for Section 524B and FDA Review

    Once you identify a VxWorks vulnerability, the next job is to document a defensible disposition. The FDA does not want a pile of CVEs with severity scores and no clinical context. It wants evidence that you evaluated exploitability, impact, and compensating controls in the context of the device.

    What Good Triage Looks Like

    See also: Medical Device SBOM: FDA Requirements and Submission Guide, Medical Device Cybersecurity: SBOM & SAST, and CI/CD Security Gates for Medical Devices: SPDF in Practice.

    For each relevant vulnerability, document:

    • Affected component and version
    • Source of identification such as NVD, vendor advisory, CISA, internal testing, or researcher report
    • Device models and product versions affected
    • Exploit preconditions
    • Reachability in the intended environment
    • Impact on confidentiality, integrity, availability, safety, and essential performance
    • Existing controls and residual risk
    • Patch, mitigation, or rationale for non-remediation
    • Date assessed and owner of the decision

    This is where VEX becomes useful. A dated VEX statement can explain whether a CVE is affected, not affected, under investigation, or fixed, with enough detail to support the claim. That statement should align with your SBOM, risk files, and design documentation.

    Severity Scores Are Not Enough

    CVSS can help prioritize, but it does not answer FDA review questions by itself. A medium-severity network flaw may deserve urgent action if it can interrupt therapy. A high-severity issue may be lower practical risk if the affected service is absent, unreachable, or blocked by architecture. Your triage has to show the reasoning.

    Tie the analysis back to:

    • Threat scenarios from the threat model
    • Hazard analysis and hazardous situations
    • Security control verification
    • Labeling, deployment assumptions, and servicing constraints

    If your conclusion is "not exploitable," be ready to prove it.

    Mitigation Options That Hold Up Under Scrutiny

    Identification without action is not enough. For VxWorks issues, acceptable mitigation depends on what is technically possible in the product lifecycle and what evidence you can produce.

    Patch When You Can, Compensate When You Must

    The preferred path is straightforward: update the affected component, verify the fix, and document regression results. But medical devices often have servicing limits, certification impacts, supplier delays, and field deployment constraints. When patching is not immediately feasible, you need compensating controls that are specific and testable.

    Examples include:

    • Disabling vulnerable services
    • Restricting ports and protocols
    • Enforcing authenticated access paths
    • Segmenting the device from untrusted networks
    • Hardening configuration and removing debug interfaces
    • Monitoring for exploit attempts or anomalous behavior
    • Tightening update integrity controls

    A vague statement that the device is deployed in a hospital network is not a mitigation. Show the technical control. Show where it is implemented. Show test evidence.

    Secure Development Still Matters

    Long-term reduction in VxWorks exposure comes from engineering discipline:

    • Secure coding practices around memory handling and input validation
    • Architecture review for service exposure and trust boundaries
    • Repeated code review and static analysis
    • Firmware and software update design that supports timely remediation
    • Supplier management for RTOS and middleware transparency
    • Verification plans that include abuse cases, not just intended use

    Manufacturers that treat RTOS vulnerabilities as one-off patch events keep reliving the same problem. The better approach is to design for visibility, containment, and maintainability from the start.

    What Reviewers Expect to See

    By the time a submission reaches the FDA, the manufacturer should be able to produce a clean line from inventory to risk decision to evidence.

    That usually means:

    • An SBOM that accurately lists VxWorks and related components
    • VEX statements for relevant CVEs, with dates and rationale
    • Threat modeling that covers RTOS and network-service abuse paths
    • Security risk documentation tied to patient harm and essential performance
    • Verification evidence for patches or compensating controls
    • Plans for coordinated vulnerability disclosure and postmarket monitoring

    If those artifacts disagree with each other, reviewers will notice. If the SBOM says one thing, the VEX says another, and the risk file uses generic language, expect questions.

    The standard is not perfection. It is traceability and credibility.

    VxWorks is not unusual because it has vulnerabilities. It is unusual because many device makers still underestimate how hard those vulnerabilities are to inventory, triage, and defend in front of the FDA. If your device depends on VxWorks, know the stack, verify applicability, and document the risk decision like a reviewer will read every line.

    How Blue Goat approaches this

    Blue Goat Cyber's medical device practice is led by engineers with CISSP, OSCP, and prior military red-team backgrounds. We treat cybersecurity documentation as design-controlled engineering output, not a submission template, every artifact (threat model, SBOM, security risk assessment, penetration test, labeling) traces back to a controlled requirement and a verified result.

    Our engagements deliver the full Feb 3, 2026 guidance documentation set scoped to the device's risk profile, integrated with the existing IEC 62304 software lifecycle and ISO 14971 risk file. See our medical device cybersecurity services for the full scope. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost.

    FAQ

    What is VxWorks in medical devices?

    VxWorks is a real-time operating system (RTOS) used in embedded medical devices like patient monitors and infusion pumps due to its small footprint and reliable, deterministic behavior. It is developed by Wind River.

    Why is VxWorks a recurring risk for medical devices?

    VxWorks poses recurring risks due to long product lifecycles, deep integration, network-exposed services, product variants, and safety-critical use cases where even minor exploits can have significant clinical impact. Many manufacturers lack full visibility into its deployment.

    How does the FDA view VxWorks vulnerabilities?

    The FDA expects manufacturers to know all VxWorks deployments, versions, applicable vulnerabilities, and provide evidence supporting risk decisions, especially concerning patient harm and essential clinical performance, as per the February 3, 2026 final guidance and Section 524B.

    What evidence does the FDA expect for VxWorks vulnerability triage?

    The FDA expects a complete SBOM, dated VEX statements, and traceable Section 524B evidence connecting cybersecurity risk to patient harm. This includes documentation of affected components, exploit preconditions, reachability, and impact on safety and essential performance.

    Are CVSS scores sufficient for FDA vulnerability assessment?

    No, CVSS scores alone are not sufficient. While they help prioritize, FDA submissions require reasoning that ties vulnerability analysis directly to threat models, hazard analysis, and the potential impact on safety or essential clinical performance.

    What are acceptable mitigations for VxWorks vulnerabilities?

    Preferred mitigation is patching. When not feasible, acceptable compensating controls include disabling vulnerable services, restricting ports, enforcing authenticated access, segmenting networks, hardening configurations, and monitoring for exploits. These must be specific and testable.

    Related: Medical Device Cybersecurity: A Complete Lifecycle Guide

    Contact Blue Goat Cyber for cybersecurity support

    About the author

    Christian Espinosa, CISSP, Founder, Blue Goat Cyber. Christian leads a team focused exclusively on medical device cybersecurity for FDA premarket submissions and postmarket compliance. Read more about Christian.

    Related 524B & eSTAR resources

    Keep going: the 524B and eSTAR working set

    Start with the walkthrough hub, then drill into the statute, the eSTAR field map, SBOM monitoring, postmarket planning, and deficiency response. Use these as the playbook behind every cyber device submission.

    Hub
    FDA Section 524B & eSTAR Cybersecurity Walkthrough

    Start here: the hub that ties the statute, the February 2026 guidance, and the eSTAR fields together in the order a submission team works through them.

    Related services

    Put this into practice on your device

    Every Blue Goat Cyber engagement maps directly to FDA Section 524B and the SPDF - so the evidence you need lands in your submission, not in a separate report.

    Ready when you are

    Get FDA cleared without the cybersecurity headaches.

    30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.