Description
Medtronic MyCareLink Patient Monitor’s update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired implantable cardiac device information can potentially upload invalid data to the Medtronic CareLink network.
References (5)
Core 5
Core References
Third Party Advisory, US Government Resource x_refsource_misc
https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-01
Various Sources
https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-8-7-18.html
Third Party Advisory, VDB Entry vdb-entry
http://www.securityfocus.com/bid/105042
Scores
CVSS v3
4.4
EPSS
0.0036
EPSS Percentile
27.8%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Details
CWE
CWE-345
Status
published
Products (4)
Medtronic/24950 MyCareLink Monitor
All versions
Medtronic/24952 MyCareLink Monitor
All versions
medtronic/mycarelink_24950_patient_monitor_firmware
medtronic/mycarelink_24952_patient_monitor_firmware
Published
Aug 10, 2018
Tracked Since
Feb 18, 2026