Medtronic Paceart Optima System

Act Now9.8ICS-CERT ICSMA-23-180-01Jun 29, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Paceart Optima versions 1.11 and earlier contain an insecure deserialization vulnerability in the Paceart Messaging Service. The vulnerability allows remote code execution when the Messaging Service and Message Queuing are enabled. Successful exploitation could result in arbitrary command execution or denial of service, impacting clinical operations.

What this means

What could happen

An attacker could run arbitrary commands on the Paceart Optima system, potentially altering clinical device settings or stopping device operation at a critical healthcare facility. This could directly compromise patient safety and disrupt medical services.

Who's at risk

Healthcare organizations operating Medtronic Paceart Optima systems (implantable device monitoring and management systems). This includes hospitals and clinical facilities using the Paceart platform for patient device management, data aggregation, and integration with hospital information systems.

How it could be exploited

An attacker with network access to the Paceart Optima Application Server can send a malicious message through the Paceart Messaging Service (which uses message queuing) to trigger insecure deserialization, resulting in remote code execution on the server.

Prerequisites

Network access to the Paceart Optima Application Server
Paceart Messaging Service enabled and running
Message Queuing service enabled on the server

remotely exploitableno authentication requiredlow complexityhigh EPSS score (25.4%)no patch available for versions 1.11 and earlieraffects patient safety systems

Exploitability

High exploit probability (EPSS 25.4%)

Affected products (1)

ProductAffected VersionsFix Status

Paceart Optima: <= 1.11≤ 1.111.12

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDDisable the Paceart Messaging Service: stop the service and change startup type to Disabled in Windows Services

WORKAROUNDRemove Message Queuing feature from the Application Server through Server Manager/Remove Roles and Features

HARDENINGRestrict network access to the Paceart Optima Application Server using firewall rules; do not expose to the Internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Paceart Optima system to version 1.12 or later

Long-term hardening

0/1

HARDENINGIsolate the Paceart Optima system from business networks using network segmentation

CVEs (1)

CVE-2023-31222

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/626972c7-5a31-4c4e-9230-245ac1b08f71