Vulnerabilites related to medtronic - 24952_mycarelink_monitor
CVE-2018-8870 (GCVE-0-2018-8870)
Vulnerability from cvelistv5
Published
2018-07-02 18:00
Modified
2025-05-22 18:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Medtronic | 24950 MyCareLink Monitor |
Version: All versions |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:10:47.291Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "24950 MyCareLink Monitor",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "24952 MyCareLink Monitor",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Morgan of Clever Security reported this vulnerability"
}
],
"datePublic": "2018-06-29T06:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMedtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system.\u003c/p\u003e"
}
],
"value": "Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-259",
"description": "CWE-259",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T18:10:03.426Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-6-28-18.html"
},
{
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMedtronic will release several rolling over-the-air product updates that will mitigate the vulnerabilities described within this advisory. These updates will be applied to devices automatically as part of standard, reoccurring update processes. In addition, Medtronic has increased security monitoring of affected devices and related infrastructure. \u003c/span\u003e\n\n\u003c/div\u003e\n\n\u003cp\u003eMedtronic has released additional patient focused information, at the following location:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.medtronic.com/security\"\u003ehttps://www.medtronic.com/security\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "Medtronic will release several rolling over-the-air product updates that will mitigate the vulnerabilities described within this advisory. These updates will be applied to devices automatically as part of standard, reoccurring update processes. In addition, Medtronic has increased security monitoring of affected devices and related infrastructure. \n\n\n\n\n\nMedtronic has released additional patient focused information, at the following location:\n\n https://www.medtronic.com/security"
}
],
"source": {
"advisory": "ICSMA-18-179-01",
"discovery": "EXTERNAL"
},
"title": "Medtronic MyCareLink Patient Monitor Use of Hard-coded Password",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMedtronic recommends users take additional defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\u003c/p\u003e\u003cul\u003e\u003cli\u003eMaintain good physical controls over the home monitor as the best mitigation to these vulnerabilities. \u0026nbsp;\u003c/li\u003e\u003cli\u003eOnly use home monitors obtained directly from their healthcare provider or a Medtronic representative to ensure integrity of the system. \u003c/li\u003e\u003cli\u003eReport any concerning behavior regarding their home monitor to their healthcare provider or a Medtronic representative. \u003c/li\u003e\u003c/ul\u003e\u003cp\u003eMedtronic has released additional patient focused information, at the following location:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.medtronic.com/security\"\u003ehttps://www.medtronic.com/security\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "Medtronic recommends users take additional defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Maintain good physical controls over the home monitor as the best mitigation to these vulnerabilities. \u00a0\n * Only use home monitors obtained directly from their healthcare provider or a Medtronic representative to ensure integrity of the system. \n * Report any concerning behavior regarding their home monitor to their healthcare provider or a Medtronic representative. \n\n\nMedtronic has released additional patient focused information, at the following location:\n\n https://www.medtronic.com/security"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2018-06-29T00:00:00",
"ID": "CVE-2018-8870",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Medtronic MyCareLink Patient Monitor",
"version": {
"version_data": [
{
"version_value": "24950 MyCareLink Monitor, all versions, 24952 MyCareLink Monitor, all versions."
}
]
}
}
]
},
"vendor_name": "ICS-CERT"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Medtronic MyCareLink Patient Monitor, 24950 MyCareLink Monitor, all versions, and 24952 MyCareLink Monitor, all versions contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "USE OF HARD-CODED PASSWORD CWE-259"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2018-8870",
"datePublished": "2018-07-02T18:00:00Z",
"dateReserved": "2018-03-20T00:00:00",
"dateUpdated": "2025-05-22T18:10:03.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-8868 (GCVE-0-2018-8868)
Vulnerability from cvelistv5
Published
2018-07-02 18:00
Modified
2025-05-22 18:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains debug code meant to test the functionality of the monitor's communication interfaces, including the interface between the monitor and implantable cardiac device. An attacker with physical access to the device can exploit other vulnerabilities to access this debug functionality. This debug functionality provides the ability to read and write arbitrary memory values to implantable cardiac devices via inductive or short range wireless protocols. An attacker with close physical proximity to a target implantable cardiac device can use this debug functionality.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Medtronic | 24950 MyCareLink Monitor |
Version: All versions |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:10:46.236Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "24950 MyCareLink Monitor",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "24952 MyCareLink Monitor",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Morgan of Clever Security reported this vulnerability"
}
],
"datePublic": "2018-06-29T06:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\nMedtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains debug code meant to test the functionality of the monitor\u0027s communication interfaces, including the interface between the monitor and implantable cardiac device. An attacker with physical access to the device can exploit other vulnerabilities to access this debug functionality. This debug functionality provides the ability to read and write arbitrary memory values to implantable cardiac devices via inductive or short range wireless protocols. An attacker with close physical proximity to a target implantable cardiac device can use this debug functionality.\n\n\u003c/p\u003e"
}
],
"value": "Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains debug code meant to test the functionality of the monitor\u0027s communication interfaces, including the interface between the monitor and implantable cardiac device. An attacker with physical access to the device can exploit other vulnerabilities to access this debug functionality. This debug functionality provides the ability to read and write arbitrary memory values to implantable cardiac devices via inductive or short range wireless protocols. An attacker with close physical proximity to a target implantable cardiac device can use this debug functionality."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "LOW",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T18:14:07.710Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-6-28-18.html"
},
{
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMedtronic will release several rolling over-the-air product updates that will mitigate the vulnerabilities described within this advisory. These updates will be applied to devices automatically as part of standard, reoccurring update processes. In addition, Medtronic has increased security monitoring of affected devices and related infrastructure. \u003c/span\u003e\n\n\u003c/div\u003e\n\n\u003cp\u003eMedtronic has released additional patient focused information, at the following location:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.medtronic.com/security\"\u003ehttps://www.medtronic.com/security\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "Medtronic will release several rolling over-the-air product updates that will mitigate the vulnerabilities described within this advisory. These updates will be applied to devices automatically as part of standard, reoccurring update processes. In addition, Medtronic has increased security monitoring of affected devices and related infrastructure. \n\n\n\n\n\nMedtronic has released additional patient focused information, at the following location:\n\n https://www.medtronic.com/security"
}
],
"source": {
"advisory": "ICSMA-18-179-01",
"discovery": "EXTERNAL"
},
"title": "Medtronic MyCareLink Patient Monitor Exposed Dangerous Method or Function",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMedtronic recommends users take additional defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\u003c/p\u003e\u003cul\u003e\u003cli\u003eMaintain good physical controls over the home monitor as the best mitigation to these vulnerabilities. \u0026nbsp;\u003c/li\u003e\u003cli\u003eOnly use home monitors obtained directly from their healthcare provider or a Medtronic representative to ensure integrity of the system. \u003c/li\u003e\u003cli\u003eReport any concerning behavior regarding their home monitor to their healthcare provider or a Medtronic representative. \u003c/li\u003e\u003c/ul\u003e\u003cp\u003eMedtronic has released additional patient focused information, at the following location:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.medtronic.com/security\"\u003ehttps://www.medtronic.com/security\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "Medtronic recommends users take additional defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Maintain good physical controls over the home monitor as the best mitigation to these vulnerabilities. \u00a0\n * Only use home monitors obtained directly from their healthcare provider or a Medtronic representative to ensure integrity of the system. \n * Report any concerning behavior regarding their home monitor to their healthcare provider or a Medtronic representative. \n\n\nMedtronic has released additional patient focused information, at the following location:\n\n https://www.medtronic.com/security"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2018-06-29T00:00:00",
"ID": "CVE-2018-8870",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Medtronic MyCareLink Patient Monitor",
"version": {
"version_data": [
{
"version_value": "24950 MyCareLink Monitor, all versions, 24952 MyCareLink Monitor, all versions."
}
]
}
}
]
},
"vendor_name": "ICS-CERT"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Medtronic MyCareLink Patient Monitor, 24950 MyCareLink Monitor, all versions, and 24952 MyCareLink Monitor, all versions contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "USE OF HARD-CODED PASSWORD CWE-259"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2018-8868",
"datePublished": "2018-07-02T18:00:00Z",
"dateReserved": "2018-03-20T00:00:00",
"dateUpdated": "2025-05-22T18:14:07.710Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2018-07-03 01:29
Modified
2025-05-22 19:15
Severity ?
Summary
Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains debug code meant to test the functionality of the monitor's communication interfaces, including the interface between the monitor and implantable cardiac device. An attacker with physical access to the device can exploit other vulnerabilities to access this debug functionality. This debug functionality provides the ability to read and write arbitrary memory values to implantable cardiac devices via inductive or short range wireless protocols. An attacker with close physical proximity to a target implantable cardiac device can use this debug functionality.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-6-28-18.html | ||
| ics-cert@hq.dhs.gov | https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| medtronic | 24950_mycarelink_monitor_firmware | - | |
| medtronic | 24950_mycarelink_monitor | - | |
| medtronic | 24952_mycarelink_monitor_firmware | - | |
| medtronic | 24952_mycarelink_monitor | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:medtronic:24950_mycarelink_monitor_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "778EB98D-C77A-4C81-B7AD-848C335B850D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:medtronic:24950_mycarelink_monitor:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D8F046CD-32D6-44D1-AB08-D81B3942CB78",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:medtronic:24952_mycarelink_monitor_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2C9FE79C-C221-4E6B-A687-74A5D7A85EFA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:medtronic:24952_mycarelink_monitor:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F2B146EC-2D18-430C-81B5-6F7D4328BB91",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains debug code meant to test the functionality of the monitor\u0027s communication interfaces, including the interface between the monitor and implantable cardiac device. An attacker with physical access to the device can exploit other vulnerabilities to access this debug functionality. This debug functionality provides the ability to read and write arbitrary memory values to implantable cardiac devices via inductive or short range wireless protocols. An attacker with close physical proximity to a target implantable cardiac device can use this debug functionality."
},
{
"lang": "es",
"value": "Medtronic MyCareLink Patient Monitor, 24950 MyCareLink Monitor en todas sus versiones y 24952 MyCareLink Monitor en todas sus versiones, contienen c\u00f3digo de depuraci\u00f3n destinado a probar la funcionalidad de las interfaces de comunicaci\u00f3n del monitor, incluida la interfaz entre el monitor y el dispositivo card\u00edaco implantable. Un atacante con acceso f\u00edsico al dispositivo puede aplicar las otras vulnerabilidades dentro de este advisory para acceder a esta funcionalidad de depuraci\u00f3n. Esta funcionalidad de depuraci\u00f3n proporciona la capacidad de leer y escribir valores de memoria arbitrarios en dispositivos card\u00edacos implantables mediante protocolos inal\u00e1mbricos inductivos o de corto alcance. Un atacante con proximidad f\u00edsica cercana a un dispositivo card\u00edaco implantable objetivo puede utilizar esta funcionalidad de depuraci\u00f3n."
}
],
"id": "CVE-2018-8868",
"lastModified": "2025-05-22T19:15:22.013",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 6.9,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 0.5,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "LOW",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 0.4,
"impactScore": 5.3,
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
]
},
"published": "2018-07-03T01:29:01.877",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-6-28-18.html"
},
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-749"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-07-03 01:29
Modified
2025-05-22 19:15
Severity ?
Summary
Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-6-28-18.html | ||
| ics-cert@hq.dhs.gov | https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| medtronic | 24950_mycarelink_monitor_firmware | - | |
| medtronic | 24950_mycarelink_monitor | - | |
| medtronic | 24952_mycarelink_monitor_firmware | - | |
| medtronic | 24952_mycarelink_monitor | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:medtronic:24950_mycarelink_monitor_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "778EB98D-C77A-4C81-B7AD-848C335B850D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:medtronic:24950_mycarelink_monitor:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D8F046CD-32D6-44D1-AB08-D81B3942CB78",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:medtronic:24952_mycarelink_monitor_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2C9FE79C-C221-4E6B-A687-74A5D7A85EFA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:medtronic:24952_mycarelink_monitor:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F2B146EC-2D18-430C-81B5-6F7D4328BB91",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system."
},
{
"lang": "es",
"value": "Medtronic MyCareLink Patient Monitor, 24950 MyCareLink Monitor en todas sus versiones y 24952 MyCareLink Monitor en todas su versiones, contienen una contrase\u00f1a de sistema operativo embebida. Un atacante con acceso f\u00edsico puede retirar la carcasa del dispositivo, conectarse al puerto de depuraci\u00f3n y usar la contrase\u00f1a para obtener acceso privilegiado al sistema operativo."
}
],
"id": "CVE-2018-8870",
"lastModified": "2025-05-22T19:15:22.237",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 0.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 5.9,
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
]
},
"published": "2018-07-03T01:29:01.940",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-6-28-18.html"
},
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-259"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-798"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}