Medtronic MyCareLink Patient Monitor

Monitor6.8ICS-CERT ICSMA-25-205-01Jul 24, 2025

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Medtronic MyCareLink Patient Monitor models 24950 and 24952 contain vulnerabilities in sensitive data protection, credential handling, and data deserialization (CWE-312, CWE-258, CWE-502). Successful exploitation requires physical access to the device and could lead to unauthorized access to patient data or manipulation of monitor functionality. The vulnerabilities were identified as low-risk because exploitation requires direct physical tampering. Medtronic is deploying security updates beginning June 2025; updates are delivered automatically when monitors connect to the internet. No public exploitation has been reported.

What this means

What could happen

An attacker with physical access to the monitor could tamper with it to bypass security controls, access sensitive patient data, or alter the device's functionality—potentially affecting the accuracy of patient monitoring or remote care data transmission.

Who's at risk

Remote patient monitoring programs and home healthcare providers using Medtronic MyCareLink Patient Monitor models 24950 and 24952. This affects any organization delivering remote patient monitoring services or managing patient devices in home care settings, where device tampering could compromise patient data confidentiality or monitoring accuracy.

How it could be exploited

An attacker would need to physically open or manipulate the MyCareLink Patient Monitor to exploit the underlying security weaknesses (unprotected sensitive data storage, weak credential handling, or insecure deserialization). This requires hands-on access to the device itself.

Prerequisites

Physical access to the monitor
Ability to open or disassemble the device
No authentication or special tools explicitly required for physical tampering

Physical tampering requiredNo authentication bypassSensitive patient data at riskLow EPSS (no active exploitation)Patch available (June 2025 onwards)

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

MyCareLink Patient Monitor model 24952: vers:all/*All versionsJune 2025 onwards (automatic updates)

MyCareLink Patient Monitor model 24950: vers:all/*All versionsJune 2025 onwards (automatic updates)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGEnsure patient monitors remain in physical possession and are not left unattended in unsecured locations.

HARDENINGObtain monitors only from authorized healthcare providers or Medtronic representatives to reduce risk of tampering during supply chain.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXDeploy Medtronic security updates when they are released (June 2025 onwards). Ensure monitors are connected to the internet regularly to receive automatic updates.

Long-term hardening

0/1

HARDENINGImplement network segmentation and access controls for home networks where remote patient monitors are connected, following CISA IoT and home network security guidance.

CVEs (3)

CVE-2025-4394 CVE-2025-4395 CVE-2025-4393

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/75315564-9c39-4a3c-b72c-e7ae401db2a7