Medtronic
Products
45- 11 CVEs
- 6 CVEs
- 4 CVEs
- 4 CVEs
- 4 CVEs
- 4 CVEs
- 3 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- View all 45 products →
Recent CVEs
35| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-10596 | Hig | 0.46 | 7.1 | 0.01 | Jul 3, 2018 | Medtronic 2090 CareLink Programmer uses a virtual private network connection to securely download updates. It does not verify it is still connected to this virtual private network before downloading updates. The affected products initially establish an encapsulated IP-based… | ||
| CVE-2025-4397 | Med | 0.44 | 6.8 | 0.00 | May 7, 2026 | Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials to modify encrypted drive data. | ||
| CVE-2025-4386 | Med | 0.44 | 6.8 | 0.00 | May 7, 2026 | Medtronic MyCareLink Patient Monitor has an internal serial interface, which allows an attacker with physical access to access a login prompt via a UART terminal. | ||
| CVE-2025-4395 | Med | 0.44 | 6.8 | 0.00 | Jul 24, 2025 | Medtronic MyCareLink Patient Monitor has a built-in user account with an empty password, which allows an attacker with physical access to log in with no password and access modify system functionality. This issue affects MyCareLink Patient Monitor models 24950 and 24952:… | ||
| CVE-2025-4394 | Med | 0.44 | 6.8 | 0.00 | Jul 24, 2025 | Medtronic MyCareLink Patient Monitor uses an unencrypted filesystem on internal storage, which allows an attacker with physical access to read and modify files. This issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025 | ||
| CVE-2025-4393 | Med | 0.42 | 6.5 | 0.00 | Jul 24, 2025 | Medtronic MyCareLink Patient Monitor has an internal service that deserializes data, which allows a local attacker to interact with the service by crafting a binary payload to crash the service or elevate privileges. This issue affects MyCareLink Patient Monitor models 24950… | ||
| CVE-2018-8870 | Med | 0.42 | 6.4 | 0.00 | Jul 3, 2018 | Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system. | ||
| CVE-2018-10631 | Med | 0.41 | 6.3 | 0.00 | Jul 13, 2018 | The 8840 Clinician Programmer executes the application program from the 8870 Application Card. An attacker with physical access to an 8870 Application Card and sufficient technical capability can modify the contents of this card, including the binary executables. If modified to… | ||
| CVE-2018-8868 | Med | 0.40 | 6.2 | 0.00 | Jul 3, 2018 | Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains debug code meant to test the functionality of the monitor's communication interfaces, including the interface between the monitor and implantable cardiac device. An attacker with physical access to the… | ||
| CVE-2018-14781 | Med | 0.35 | 5.3 | 0.01 | Aug 13, 2018 | Medtronic MiniMed MMT devices when paired with a remote controller and having the “easy bolus” and “remote bolus” options enabled (non-default), are vulnerable to a capture-replay attack. An attacker can capture the wireless transmissions between the remote controller… | ||
| CVE-2018-10622 | Med | 0.34 | 5.2 | 0.00 | Aug 10, 2018 | Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials for network authentication. | ||
| CVE-2018-5446 | Med | 0.32 | 4.9 | 0.00 | May 4, 2018 | Medtronic 2090 CareLink Programmer uses a per-product username and password that is stored in a recoverable format. | ||
| CVE-2022-32537 | Med | 0.31 | 4.8 | 0.00 | Dec 12, 2022 | A vulnerability exists which could allow an unauthorized user to learn aspects of the communication protocol used to pair system components while the pump is being paired with other system components. Exploitation requires nearby wireless signal proximity with the patient and… | ||
| CVE-2018-10634 | Med | 0.31 | 4.8 | 0.00 | Aug 13, 2018 | Communications between Medtronic MiniMed MMT pumps and wireless accessories are transmitted in cleartext. A sufficiently skilled attacker could capture these transmissions and extract sensitive information, such as device serial numbers. | ||
| CVE-2018-5448 | Med | 0.31 | 4.8 | 0.01 | May 4, 2018 | Medtronic 2090 CareLink Programmer’s software deployment network contains a directory traversal vulnerability that could allow an attacker to read files on the system. | ||
| CVE-2018-8849 | Med | 0.30 | 4.6 | 0.00 | May 18, 2018 | Medtronic N'Vision Clinician Programmer 8840 N'Vision Clinician Programme and 8870 N'Vision removable Application Card do not encrypt PII and PHI while at rest. | ||
| CVE-2018-10626 | Med | 0.29 | 4.4 | 0.00 | Aug 10, 2018 | Medtronic MyCareLink Patient Monitor’s update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired implantable cardiac device information can potentially upload invalid data… | ||
| CVE-2023-31222 | 0.02 | — | 0.28 | Jun 29, 2023 | Deserialization of untrusted data in Microsoft Messaging Queuing Service in Medtronic's Paceart Optima versions 1.11 and earlier on Windows allows an unauthorized user to impact a healthcare delivery organization’s Paceart Optima system cardiac device causing data to be… | |||
| CVE-2025-12997 | 0.00 | — | 0.00 | Dec 4, 2025 | Insecure Direct Object Reference vulnerability in Medtronic CareLink Network which allows an authenticated attacker with access to specific device and user information to submit web requests to an API endpoint that would expose sensitive user information. This issue affects… | |||
| CVE-2025-12996 | 0.00 | — | 0.00 | Dec 4, 2025 | Medtronic CareLink Network allows a local attacker with access to log files on an internal API server to view plaintext passwords from errors logged under certain circumstances. This issue affects CareLink Network: before December 4, 2025. |
- risk 0.46cvss 7.1epss 0.01
Medtronic 2090 CareLink Programmer uses a virtual private network connection to securely download updates. It does not verify it is still connected to this virtual private network before downloading updates. The affected products initially establish an encapsulated IP-based…
- risk 0.44cvss 6.8epss 0.00
Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials to modify encrypted drive data.
- risk 0.44cvss 6.8epss 0.00
Medtronic MyCareLink Patient Monitor has an internal serial interface, which allows an attacker with physical access to access a login prompt via a UART terminal.
- risk 0.44cvss 6.8epss 0.00
Medtronic MyCareLink Patient Monitor has a built-in user account with an empty password, which allows an attacker with physical access to log in with no password and access modify system functionality. This issue affects MyCareLink Patient Monitor models 24950 and 24952:…
- risk 0.44cvss 6.8epss 0.00
Medtronic MyCareLink Patient Monitor uses an unencrypted filesystem on internal storage, which allows an attacker with physical access to read and modify files. This issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025
- risk 0.42cvss 6.5epss 0.00
Medtronic MyCareLink Patient Monitor has an internal service that deserializes data, which allows a local attacker to interact with the service by crafting a binary payload to crash the service or elevate privileges. This issue affects MyCareLink Patient Monitor models 24950…
- risk 0.42cvss 6.4epss 0.00
Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system.
- risk 0.41cvss 6.3epss 0.00
The 8840 Clinician Programmer executes the application program from the 8870 Application Card. An attacker with physical access to an 8870 Application Card and sufficient technical capability can modify the contents of this card, including the binary executables. If modified to…
- risk 0.40cvss 6.2epss 0.00
Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains debug code meant to test the functionality of the monitor's communication interfaces, including the interface between the monitor and implantable cardiac device. An attacker with physical access to the…
- risk 0.35cvss 5.3epss 0.01
Medtronic MiniMed MMT devices when paired with a remote controller and having the “easy bolus” and “remote bolus” options enabled (non-default), are vulnerable to a capture-replay attack. An attacker can capture the wireless transmissions between the remote controller…
- risk 0.34cvss 5.2epss 0.00
Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials for network authentication.
- risk 0.32cvss 4.9epss 0.00
Medtronic 2090 CareLink Programmer uses a per-product username and password that is stored in a recoverable format.
- risk 0.31cvss 4.8epss 0.00
A vulnerability exists which could allow an unauthorized user to learn aspects of the communication protocol used to pair system components while the pump is being paired with other system components. Exploitation requires nearby wireless signal proximity with the patient and…
- risk 0.31cvss 4.8epss 0.00
Communications between Medtronic MiniMed MMT pumps and wireless accessories are transmitted in cleartext. A sufficiently skilled attacker could capture these transmissions and extract sensitive information, such as device serial numbers.
- risk 0.31cvss 4.8epss 0.01
Medtronic 2090 CareLink Programmer’s software deployment network contains a directory traversal vulnerability that could allow an attacker to read files on the system.
- risk 0.30cvss 4.6epss 0.00
Medtronic N'Vision Clinician Programmer 8840 N'Vision Clinician Programme and 8870 N'Vision removable Application Card do not encrypt PII and PHI while at rest.
- risk 0.29cvss 4.4epss 0.00
Medtronic MyCareLink Patient Monitor’s update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired implantable cardiac device information can potentially upload invalid data…
- CVE-2023-31222Jun 29, 2023risk 0.02cvss —epss 0.28
Deserialization of untrusted data in Microsoft Messaging Queuing Service in Medtronic's Paceart Optima versions 1.11 and earlier on Windows allows an unauthorized user to impact a healthcare delivery organization’s Paceart Optima system cardiac device causing data to be…
- CVE-2025-12997Dec 4, 2025risk 0.00cvss —epss 0.00
Insecure Direct Object Reference vulnerability in Medtronic CareLink Network which allows an authenticated attacker with access to specific device and user information to submit web requests to an API endpoint that would expose sensitive user information. This issue affects…
- CVE-2025-12996Dec 4, 2025risk 0.00cvss —epss 0.00
Medtronic CareLink Network allows a local attacker with access to log files on an internal API server to view plaintext passwords from errors logged under certain circumstances. This issue affects CareLink Network: before December 4, 2025.