German BfArM Identifies VxWorks Critical Vulnerabilities

Today, the German Federal Institute for Drugs and Medical Devices (BfArM) identified critical vulnerabilities in the Wind River VxWorks real-time operating system.

Affected versions of VxWorks are:

  • VxWorks 6.5 to 6.9 (End-of-Life)
  • VxWorks 7 (SR540 and SR610)
  • VxWorks 653 MCE 3.x (may be affected)

They pointed out that VxWorks is used in many medical devices.

The BfArM advised:  “Medical device manufacturers using this operating system must implement risk mitigation measures based on their updated risk analysis in light of this vulnerability.

If these measures correspond to the definition of a recall in accordance with § 2 No. 3 (a measure to eliminate, reduce or prevent the recurrence of a risk arising from a medical device, which initiates the return, replacement, retrofitting or retrofitting, disposal or destruction of a medical device or provides users, operators or patients with information on the further safe use or operation of medical devices), the measure must be reported to the BfArM on the notification form for Field Safety Corrective Actions published by the BfArM (Forms – medical devices).”

The link to the BfArM (Federal Institute for Drugs and Medical Devices) website is

About the author

Brian Pate helps medical device companies achieve efficient and FDA regulatory compliant product development to produce higher quality and clinically valued software. He began his career in clinical research in 1985 with the Department of Anesthesiology at UAB developing closed-loop control systems for the automated delivery of gases and control. In 1990, he made the switch from university research to the medical device industry designing control systems, communication interfaces, user interface, and other software for real-time embedded systems and clinical information systems, working for medical device companies including Johnson & Johnson, Baxter Healthcare, and GE Medical. Today, he is a Partner and the General Manager of Crisis Prevention and Recovery LLC (dba SoftwareCPR®), a general-purpose regulatory consulting firm that is recognized globally for their expertise with standards and national regulations pertaining to medical device, mobile medical app, and HealthIT software. He has taught the AAMI/FDA course on Software Regulation to FDA Reviewers at FDA and is currently the lead faculty for the public version of that course taught annually along with FDA staff. Brian served on the AAMI/FDA TIR working group that created AAMI TIR32 Guidance on the application of ISO 14971 to Software (later superseded by IEC 80002-1). He later served on the original AAMI/FDA working group that created the AAMI TIR45-2012 TIR Guidance on the use of Agile practices in the development of medical device software and is currently the co-chair leading the creation of the 2nd edition of TIR45. He has served as faculty for all offerings of the AAMI/FDA Compliant Use of Agile Methods public course. Brian also served as an instructor for the AAMI Design Controls course. He is also a member of the Underwriters’ Laboratories Standards Technical Panel 5500, Remote Software Updates. He now serves as a member of the AAMI Software Committee.

Cybersecurity Review

Our cybersecurity experts can quickly remediate cybersecurity deficiencies with your medical device or digital health software.  Planning, requirements, validation, and submissions – we can assist with all.

Interested in having a conversation?  Email us to arrange a Zoom meeting or call us at +1 781-721-2921.

Corporate Office

15148 Springview St
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN) and Italy.