CVE-2017-5149

HIGH

St. Jude Medical Merlin@home <8.2.2 - SSRF

Title source: llm
STIX 2.1

Description

An issue was discovered in St. Jude Medical Merlin@home, versions prior to Version 8.2.2 (RF models: EX1150; Inductive models: EX1100; and Inductive models: EX1100 with MerlinOnDemand capability). The identities of the endpoints for the communication channel between the transmitter and St. Jude Medical's web site, Merlin.net, are not verified. This may allow a man-in-the-middle attacker to access or influence communications between the identified endpoints.

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/95331
Mitigation, Third Party Advisory, US Government Resource x_refsource_misc
https://ics-cert.us-cert.gov/advisories/ICSMA-17-009-01A

Scores

CVSS v3 8.9
EPSS 0.0124
EPSS Percentile 65.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H

Details

CWE
CWE-476
Status published
Products (2)
abbott/merlin\@home_firmware < 8.0
n/a/St. Jude Merlin@home Transmitter before 8.2.2 St. Jude Merlin@home Transmitter before 8.2.2
Published Feb 13, 2017
Tracked Since Feb 18, 2026