CVE-2018-10626

Medtronic MyCareLink Patient Monitor’s update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired implantable cardiac device information can potentially upload invalid data to the Medtronic CareLink network.

CVSS v3 4.4 MEDIUM
CVSS v2.0 3.8 LOW

4.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.3 / Impact : 2.7

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

3.8^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:A/AC:M/Au:S/C:P/I:P/A:N

Exploitability : 4.4 / Impact : 4.9

Access Vector ADJACENT_NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.securityfocus.com/bid/105042	Third Party Advisory VDB Entry
https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-8-7-18.html
https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-01	Third Party Advisory US Government Resource
http://www.securityfocus.com/bid/105042	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-01	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:medtronic:mycarelink_24952_patient_monitor_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:medtronic:mycarelink_24952_patient_monitor:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:medtronic:mycarelink_24950_patient_monitor_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:medtronic:mycarelink_24950_patient_monitor:-:*:*:*:*:*:*:*

History

22 May 2025, 16:15

Type	Values Removed	Values Added
Summary	(en) A vulnerability was discovered in all versions of Medtronic MyCareLink 24950 and 24952 Patient Monitor. The affected product's update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired implantable cardiac device information can potentially upload invalid data to the Medtronic CareLink network.	(en) Medtronic MyCareLink Patient Monitor’s update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired implantable cardiac device information can potentially upload invalid data to the Medtronic CareLink network.
References		() https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-8-7-18.html -

21 Nov 2024, 03:41

Type	Values Removed	Values Added
References	~~() http://www.securityfocus.com/bid/105042 - Third Party Advisory, VDB Entry~~	() http://www.securityfocus.com/bid/105042 - Third Party Advisory, VDB Entry
References	~~() https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-01 - Third Party Advisory, US Government Resource~~	() https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-01 - Third Party Advisory, US Government Resource

Information

Published : 2018-08-10 18:29

Updated : 2025-05-22 16:15

NVD link : CVE-2018-10626

Mitre link : CVE-2018-10626

CVE.ORG link : CVE-2018-10626

JSON object : View

Products Affected

medtronic

mycarelink_24950_patient_monitor
mycarelink_24952_patient_monitor_firmware
mycarelink_24952_patient_monitor
mycarelink_24950_patient_monitor_firmware

CWE

CWE-345

Insufficient Verification of Data Authenticity

4.4 /10

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

3.8 /10

Access Vector ADJACENT_NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2018-10626

4.4^/10

3.8^/10

Attach tags to `CVE-2018-10626`