CVE-2019-6540
MEDIUMMedtronic Mycarelink Monitor 24950 Firmware - Cleartext Transmission
Title source: ruleDescription
The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, and Viva CRT-D does not implement encryption. An attacker with adjacent short-range access to a target product can listen to communications, including the transmission of sensitive data.
References (2)
Core 2
Core References
Third Party Advisory, US Government Resource x_refsource_misc
https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01
Broken Link vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/107544
Scores
CVSS v3
6.5
EPSS
0.0019
EPSS Percentile
9.3%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-319
Status
published
Products (23)
medtronic/amplia_crt-d_firmware
medtronic/carelink_2090_firmware
medtronic/carelink_monitor_2490c_firmware
medtronic/claria_crt-d_firmware
medtronic/compia_crt-d_firmware
medtronic/concerto_crt-d_firmware
medtronic/concerto_ii_crt-d_firmware
medtronic/consulta_crt-d_firmware
medtronic/evera_icd_firmware
medtronic/maximo_ii_crt-d_firmware
... and 13 more
Published
Mar 26, 2019
Tracked Since
Feb 18, 2026