CVE-2019-18254
Description
BIOTRONIK CardioMessenger II, The affected products do not encrypt sensitive information while at rest. An attacker with physical access to the CardioMessenger can disclose medical measurement data and the serial number from the implanted cardiac device the CardioMessenger is paired with.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BIOTRONIK CardioMessenger II does not encrypt sensitive data at rest, allowing physical attackers to disclose medical data and implant serial numbers.
Vulnerability
The affected products are CardioMessenger II-S T-Line and CardioMessenger II-S GSM running firmware version T4APP 2.20. The devices do not encrypt sensitive information while at rest, including medical measurement data and the serial number of the paired implanted cardiac device [1].
Exploitation
An attacker requires physical access to the CardioMessenger unit. With low skill level, the attacker can access the stored data directly from the device's memory or storage without authentication [1].
Impact
Successful exploitation allows disclosure of medical measurement data and the implant's serial number, compromising patient privacy and device identification [1].
Mitigation
The advisory does not disclose a specific fix or workaround. Users should follow the vendor's guidance and restrict physical access to the device [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- www.us-cert.gov/ics/advisories/icsma-20-170-05mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.