It Was Just Cached Credentials — And It Triggered an FDA Recall

In March 2026, the FDA posted a Class II recall for certain versions of GE HealthCare's Centricity Universal Viewer — the radiology software clinicians use to read diagnostic images. The cause wasn't a remote code execution bug. It wasn't a zero-day. It wasn't an attacker chaining three vulnerabilities across a hospital network.

It was login credentials sitting exposed on a local workstation.

That's it. And it was enough to pull a major imaging product into a federal recall.

If you build connected medical devices, this is the story to internalize this year. The vulnerabilities that get you recalled in 2026 are not the exotic ones. They're the credential-handling basics that teams quietly deprioritize because "you'd need local access to exploit it."

What Actually Happened

Here are the facts, as documented in the FDA recall record and GE HealthCare's own notice:

• The product: Centricity Universal Viewer, a PACS image-viewing application used by radiologists. Affected versions span roughly 5.0 SP6 through 7.0 SP2.0.1.
• The flaw: Service login credentials were exposed on the local client workstation. A user with local access to that workstation could obtain the credentials, access the system, and potentially view patient data, disrupt availability, or manipulate diagnostic images.
• The timeline: GE initiated the correction on January 30, 2026. The FDA posted it as a Class II recall (recall number Z-1569-2026) on March 16, 2026.
• The status: GE reported no known cases of unauthorized access. Exploitation requires local/physical access to the workstation, and customers were instructed to keep operating while a permanent fix is prepared.

Notice what's missing from that description. There's no clever payload. No network-borne attack. The "exploit" is reading credentials that shouldn't have been sitting there in the first place. This is the kind of finding that shows up in the first hour of a penetration test — and the kind a development team can talk itself out of fixing because the threat model "requires physical access."

Why a Local Bug Became a Federal Recall

A year ago, a finding like this might have been triaged as low severity and scheduled for a future release. So what changed?

The FDA's updated post-market cybersecurity guidance went into effect in February 2026, and it explicitly ties cybersecurity to device safety and quality — not to IT hygiene. Under that framework, a credential-exposure flaw in software that displays diagnostic images isn't an inconvenience. It's a pathway to altering the data a radiologist relies on to make a diagnosis. That is a patient-safety issue, full stop, and the regulatory machinery now treats it like one.

A few consequences follow directly from that shift:

• "Requires local access" is no longer a get-out-of-jail card. The FDA's risk framing centers on clinical impact and exploitability, not on whether the attacker is on the network or standing at the keyboard. A workstation in a shared clinical environment is not a trusted enclave.
• Inadequate cybersecurity can render a device misbranded. Cybersecurity documentation and controls now carry the same regulatory weight as the rest of your product content. Getting them wrong is a compliance failure, not just a security one.
• The image is the asset. For an imaging viewer, integrity of the displayed data is the whole point. A vulnerability that allows manipulation of that data attacks the core clinical function — which is precisely why it escalated.

This is the operational meaning of a phrase you'll hear a lot this year: cybersecurity is now a lifecycle discipline. It's evaluated continuously, against clinical impact, by people whose job is patient safety.

This Is on Your Checklist Already

If you've read our common vulnerabilities post, none of this is new. The Centricity recall is a textbook instance of the two findings that top that list:

Default and hardcoded credentials. Service accounts, embedded secrets, and credentials cached where they can be recovered. The single most common finding we report.

Missing or broken authentication. Credentials that grant access without the protections you'd assume are in place — and a trust model that quietly assumes the local environment is safe.

The lesson isn't "patch faster." It's that the unglamorous findings are the ones with regulatory teeth now. The exotic remote exploit makes for a better conference talk, but it's the cached credential, the documented default password, and the service account baked into the binary that show up in recall notices.

What To Do Before This Is You

Audit credential handling everywhere it lives. Not just over the wire — on disk, in memory, in config files, in logs, and on the local workstation. Ask the uncomfortable question: if someone had local access to this machine for five minutes, what could they walk away with? Then assume someone will.

Kill the "trusted local environment" assumption. A clinical workstation sits in a shared, busy, physically accessible space. Design as if local access is a realistic threat, because under the current guidance the FDA already does.

Treat credential and authentication review as a gate, not a backlog item. These are the highest-yield findings in any assessment and the ones most likely to escalate. Review them in the design phase, test for them before submission, and remediate before a regulator (or a researcher) finds them for you.

Map every finding to clinical impact. "Credential exposure" sounds minor in a risk register. "An attacker could alter a diagnostic image" does not. The FDA evaluates the second framing — so should you, internally, when you decide what to fix.

Get your post-market process operationally ready. The February 2026 rules require continuous monitoring, coordinated disclosure, and timely patching, with critical uncontrolled risks addressed on a tight clock. The EU Cyber Resilience Act's reporting obligations begin in September 2026. A finding like Centricity's will land on someone eventually — the question is whether your process can absorb it without becoming a recall.

The companies that come through this era cleanly aren't the ones with the most sophisticated security. They're the ones who took the boring findings seriously before the regulator did.