CVE-2019-18252
Description
BIOTRONIK CardioMessenger II, The affected products allow credential reuse for multiple authentication purposes. An attacker with adjacent access to the CardioMessenger can disclose its credentials used for connecting to the BIOTRONIK Remote Communication infrastructure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BIOTRONIK CardioMessenger II home monitoring units use cleartext credentials, weak authentication, and stored passwords, enabling adjacent attackers to disclose RCI credentials.
Vulnerability
BIOTRONIK CardioMessenger II devices (CardioMessenger II-S T-Line and CardioMessenger II-S GSM running firmware version T4APP 2.20) contain multiple vulnerabilities: improper authentication (CWE-287), cleartext transmission of sensitive information (CWE-319), missing encryption of sensitive data, and storing passwords in a recoverable format [1]. The product transmits credentials in cleartext before establishing an encrypted channel, does not enforce mutual authentication with the Remote Communication Infrastructure (RCI), and reuses credentials for multiple authentication purposes [1].
Exploitation
An attacker with adjacent network access to the CardioMessenger II can exploit these issues. The cleartext transmission of credentials allows the attacker to capture the device's client credentials used to connect to the BIOTRONIK Remote Communication infrastructure [1]. The attacker does not need authentication or user interaction to perform this capture. Additionally, credential reuse across different authentication contexts simplifies the attacker's ability to leverage disclosed credentials [1]. Physical access to the device could also be used to obtain sensitive data [1].
Impact
Successful exploitation enables the attacker to disclose the CardioMessenger's credentials for the BIOTRONIK Remote Communication infrastructure [1]. This disclosure can lead to the attacker gaining unauthorized access to transmitted medical data from implanted cardiac devices, potentially including the implant’s serial number, and may allow the attacker to influence communications between the Home Monitoring Unit and the Access Point Name gateway network [1]. The confidentiality of sensitive data is compromised, and device functionality may be affected [1].
Mitigation
BIOTRONIK has released firmware version T4APP v3.00 to address these vulnerabilities in the CardioMessenger II devices [1]. Users are advised to update affected products to this fixed version as soon as possible. There are no known workarounds; updating the firmware is the only mitigation. The vulnerabilities are not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- www.us-cert.gov/ics/advisories/icsma-20-170-05mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.