CVE-2018-10622
5.2
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Summary
Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials for network authentication.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Medtronic | 24950 MyCareLink Monitor | 0 < February 25, 2026 | affected |
| Medtronic | 24952 MyCareLink Monitor | 0 < February 25, 2026 | affected |
Weaknesses
- CWE-313: CWE-313
Workarounds
Medtronic recommends users take additional defensive measures to minimize the risk of exploitation. Specifically, users should:
- Maintain good physical control over the home monitor.
- Only use home monitors obtained directly from their healthcare provider or a Medtronic representative to ensure integrity of the system. Medtronic has released additional patient focused information, at the following location:
https://www.medtronic.com/security Users should follow CISA's guidance in the following areas:
Securing the Internet of Things https://www.cisa.gov/news-events/news/securing-internet-things-iot
Home Network Security https://www.cisa.gov/news-events/news/home-network-security
ADP Enrichment
CVE Program Container
Additional References
References
- https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-8-7-18.html
- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-219-01
- http://www.securityfocus.com/bid/105042
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2018/icsma-18-219-01.json
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.