Medtronic MyCareLink Patient Monitor

MonitorCVSS 6.8ICS-CERT ICSMA-25-205-01Jul 24, 2025

Medtronic

Attack path

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Medtronic MyCareLink Patient Monitor models 24950 and 24952 contain vulnerabilities in credential and data handling (CWE-312, CWE-258) and unsafe deserialization (CWE-502). Successful exploitation requires physical possession of the monitor and could allow an attacker to extract sensitive patient data or alter the monitor's functionality. These vulnerabilities are not remotely exploitable. Medtronic is deploying automatic security updates starting June 2025 to address these issues.

What this means

What could happen

An attacker with physical access to the monitor could tamper with it to gain unauthorized access to sensitive patient data or alter the device's functionality, compromising patient care and privacy.

Who's at risk

Patients and healthcare providers using Medtronic MyCareLink Patient Monitor models 24950 and 24952 at home. This affects any patient requiring remote cardiac monitoring or similar home-based medical device supervision where these Medtronic monitors are deployed.

How it could be exploited

An attacker must physically access the monitor device. Once they have possession, they can exploit stored credential or data handling weaknesses (CWE-312, CWE-258) or unsafe deserialization (CWE-502) to extract sensitive information or manipulate monitor behavior without any remote capability.

Prerequisites

Physical access to the monitor device
No authentication or special credentials required once physical access is gained

requires physical accessaffects medical device used for patient monitoringno public exploitation reportedvendor fix available

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

MyCareLink Patient Monitor model 24952: vers:all/*All versionsJune 2025 onwards (automatic updates)

MyCareLink Patient Monitor model 24950: vers:all/*All versionsJune 2025 onwards (automatic updates)

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGMaintain physical possession and security of the home monitor; do not leave unattended or in shared/unsecured locations

HARDENINGUse monitors obtained only from your healthcare provider or authorized Medtronic representatives; do not use monitors from unauthorized vendors or second-hand sources

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXEnsure MyCareLink Patient Monitor models 24950 and 24952 are connected to the internet regularly to receive automatic security updates starting June 2025 and onwards

CVEs (3)

CVE-2025-4394 CVE-2025-4395 CVE-2025-4393

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/75315564-9c39-4a3c-b72c-e7ae401db2a7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.