Description
An issue was discovered in St. Jude Medical Merlin@home, versions prior to Version 8.2.2 (RF models: EX1150; Inductive models: EX1100; and Inductive models: EX1100 with MerlinOnDemand capability). The identities of the endpoints for the communication channel between the transmitter and St. Jude Medical's web site, Merlin.net, are not verified. This may allow a man-in-the-middle attacker to access or influence communications between the identified endpoints.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/95331
Mitigation, Third Party Advisory, US Government Resource x_refsource_misc
https://ics-cert.us-cert.gov/advisories/ICSMA-17-009-01A
Scores
CVSS v3
8.9
EPSS
0.0124
EPSS Percentile
65.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H
Details
CWE
CWE-476
Status
published
Products (2)
abbott/merlin\@home_firmware
< 8.0
n/a/St. Jude Merlin@home Transmitter before 8.2.2
St. Jude Merlin@home Transmitter before 8.2.2
Published
Feb 13, 2017
Tracked Since
Feb 18, 2026