Medtronic Valleylab FT10 and FX8

Act Now9.8ICS-CERT ICSMA-19-311-02Nov 7, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Medtronic Valleylab FT10 and FX8 Energy Platforms and Exchange Client contain multiple vulnerabilities (hardcoded credentials, weak cryptography, insufficient input validation) that allow remote code execution and file overwrite. By default, network connections are disabled and the Ethernet port is disabled upon reboot; however, network connectivity is often enabled in practice. Successful exploitation results in non-root shell access on the affected devices. Medtronic has released patches for the FT10 platform and will release patches for the FX8 platform in early 2020. Until patches are applied, Medtronic recommends disconnecting devices from IP networks or segregating them so they are not accessible from untrusted networks.

What this means

What could happen

An attacker with network access to these surgical energy platforms could execute arbitrary commands with shell access, potentially altering device functionality or disabling critical surgical equipment during procedures.

Who's at risk

This affects surgical facilities using Medtronic Valleylab FT10 and FX8 energy platforms in operating rooms. Healthcare IT managers and biomedical engineers responsible for OR equipment and network connectivity should prioritize this vulnerability, as compromise could disrupt surgical procedures.

How it could be exploited

An attacker on the same network (or Internet if network boundaries are misconfigured) sends a crafted request to exploit one of the hardcoded credentials or authentication bypass vulnerabilities. This gains remote code execution and a non-root shell on the affected device, allowing the attacker to modify device behavior or logs.

Prerequisites

Network access to the affected device on its default ports (Ethernet port must be enabled—disabled by default but often enabled in practice)
No valid credentials required (vulnerabilities involve hardcoded secrets or missing input validation)

Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (10.3%)No patch available at time of advisory for FX8 and Exchange ClientAffects critical surgical equipment

Exploitability

High exploit probability (EPSS 10.3%)

Affected products (3)

1 with fix2 EOL

ProductAffected VersionsFix Status

Valleylab FX8 Energy Platform (VLFX8GEN) software:≤ 1.0.0No fix (EOL)

Valleylab FT10 Energy Platform (VLFT10GEN) software:≤ 4.0.0above 4.0.0

Valleylab Exchange Client:≤ 3.4No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDUntil patches are applied, disconnect affected Valleylab devices from IP networks or segregate them behind a firewall that blocks all untrusted traffic

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXApply Medtronic software patch for FT10 platform (available now) and FX8 platform (available early 2020)

HARDENINGDisable Ethernet port on all affected devices if not required for clinical operations

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Valleylab FX8 Energy Platform (VLFX8GEN) software:, Valleylab Exchange Client:. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate surgical suites and ensure Valleylab devices are not reachable from the Internet or untrusted internal networks

CVEs (3)

CVE-2019-13543 CVE-2019-13539 CVE-2019-3464

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2f495803-e508-49f0-b82e-98d4c92b4be7