Medtronic Micro Clinician and InterStim Apps

Monitor6.4ICS-CERT ICSMA-23-061-01Mar 6, 2023

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Micro Clinician and InterStim X Clinician applications contain a vulnerability that allows the clinician application's custom password to be reset to default. Successful exploitation results in unauthorized control of the clinician therapy application, potentially allowing an attacker to modify patient therapy settings. The vulnerability is not remotely exploitable and requires physical access to the device. Medtronic released an app update as of February 23, 2023 that fixes this vulnerability.

What this means

What could happen

An attacker with physical access to a clinician application could reset the custom password to default, gaining unauthorized control of therapy settings and potentially altering patient treatment parameters.

Who's at risk

Healthcare facilities using Medtronic Micro Clinician or InterStim X Clinician applications for therapy management and patient monitoring. This affects clinician workstations and devices used by medical staff to configure implantable neurostimulation devices and patient therapies.

How it could be exploited

An attacker must have physical access to the device running the Micro Clinician or InterStim X Clinician application. They exploit a password reset vulnerability to set the application password to a default value, then authenticate as administrator to modify therapy configurations.

Prerequisites

Physical access to the clinician application device
No credentials required to trigger the password reset

no authentication requiredaffects medical devices and safety systemsphysical access required but low complexity to exploit once accessed

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Micro Clinician: A51200A51200February 23, 2023 update or later

InterStim X Clinician: A51300A51300February 23, 2023 update or later

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGRestrict physical access to clinician application devices through locked server rooms, cabinet locks, or access control systems

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Micro Clinician and InterStim X Clinician applications to the patched version released February 23, 2023 or later

HARDENINGImplement device monitoring and audit logging to detect unauthorized access attempts and password changes

CVEs (1)

CVE-2023-25931

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5068bbc1-6a6f-405e-ba5e-28d33f36eef6