Skip to main content

Medtronic MyCareLink Patient Monitor CVE-2025-4397

| EUVD-2025-209728 MEDIUM
Cleartext Storage in a File or on Disk (CWE-313)
2026-05-07 Medtronic GHSA-f8v9-5h44-4grj
Information Disclosure
6.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 07, 2026 - 16:00 vuln.today
CVE Published
May 07, 2026 - 15:03 nvd
MEDIUM 6.8

DescriptionNVD

Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials to modify encrypted drive data.

AnalysisAI

Medtronic MyCareLink Patient Monitor stores per-product credentials in a recoverable (non-hashed or weakly encrypted) format, allowing physical attackers with device access to extract these credentials and modify encrypted drive data without authentication. Affected models include the 24950 and 24952 monitors. The vulnerability requires physical access to the device (CVSS AV:P) but grants full confidentiality, integrity, and availability impact to stored patient data.

Technical ContextAI

The vulnerability stems from improper credential storage (CWE-313: Cleartext Storage of Sensitive Information) in a medical device context. MyCareLink Patient Monitors use symmetric encryption to protect data on storage drives, with the encryption keys or credentials derived from per-product secrets. These secrets are stored in a recoverable format-likely plaintext, weakly obfuscated, or encrypted with a hardcoded key-rather than being properly hashed or stored in a secure enclave. An attacker with physical access to the device (or to extracted storage media) can recover these credentials and use them to decrypt or modify drive contents without possessing the legitimate device encryption key. The affected CPE strings (cpe:2.3:a:medtronic:mycarelink_patient_monitor_24950:*:*:*:*:*:*:*:* and cpe:2.3:a:medtronic:mycarelink_patient_monitor_24952:*:*:*:*:*:*:*:*) indicate both major model variants are affected across all versions.

RemediationAI

Medtronic has released patched software versions for both MyCareLink Patient Monitor 24950 and 24952 models; upgrade to the latest available firmware from Medtronic immediately via the advisory at https://www.medtronic.com/en-us/e/product-security/security-bulletins/mycarelink-patient-monitor-vulnerabilities.html. Implement strict physical access controls for all MyCareLink devices: restrict access to unsecured storage areas, maintain device inventory and audit trails, and enforce secure decommissioning procedures (such as on-device credential wiping or encrypted drive destruction) before repair or disposal. For devices that cannot be patched immediately, store units in locked, monitored enclosures, conduct regular device audits, and consider decommissioning older units if patch deployment timelines are extended. If a device has been lost, stolen, or accessed by unauthorized personnel, assume credentials are compromised-coordinate with Medtronic to revoke or rotate device-specific credentials and audit access logs for any unauthorized modifications to encrypted data.

Share

CVE-2025-4397 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy