VYPR

Vendor CVEs

Medtronic

All CVEs

35 total · sorted by risk
  • CVE-2018-10596HigJul 3, 2018
    risk 0.46cvss 7.1epss 0.01

    Medtronic 2090 CareLink Programmer uses a virtual private network connection to securely download updates. It does not verify it is still connected to this virtual private network before downloading updates. The affected products initially establish an encapsulated IP-based…

  • CVE-2025-4397MedMay 7, 2026
    risk 0.44cvss 6.8epss 0.00

    Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials to modify encrypted drive data.

  • CVE-2025-4386MedMay 7, 2026
    risk 0.44cvss 6.8epss 0.00

    Medtronic MyCareLink Patient Monitor has an internal serial interface, which allows an attacker with physical access to access a login prompt via a UART terminal.​

  • CVE-2025-4395MedJul 24, 2025
    risk 0.44cvss 6.8epss 0.00

    Medtronic MyCareLink Patient Monitor has a built-in user account with an empty password, which allows an attacker with physical access to log in with no password and access modify system functionality. This issue affects MyCareLink Patient Monitor models 24950 and 24952:…

  • CVE-2025-4394MedJul 24, 2025
    risk 0.44cvss 6.8epss 0.00

    Medtronic MyCareLink Patient Monitor uses an unencrypted filesystem on internal storage, which allows an attacker with physical access to read and modify files. This issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025

  • CVE-2025-4393MedJul 24, 2025
    risk 0.42cvss 6.5epss 0.00

    Medtronic MyCareLink Patient Monitor has an internal service that deserializes data, which allows a local attacker to interact with the service by crafting a binary payload to crash the service or elevate privileges. This issue affects MyCareLink Patient Monitor models 24950…

  • CVE-2018-8870MedJul 3, 2018
    risk 0.42cvss 6.4epss 0.00

    Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system.

  • CVE-2018-10631MedJul 13, 2018
    risk 0.41cvss 6.3epss 0.00

    The 8840 Clinician Programmer executes the application program from the 8870 Application Card. An attacker with physical access to an 8870 Application Card and sufficient technical capability can modify the contents of this card, including the binary executables. If modified to…

  • CVE-2018-8868MedJul 3, 2018
    risk 0.40cvss 6.2epss 0.00

    Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains debug code meant to test the functionality of the monitor's communication interfaces, including the interface between the monitor and implantable cardiac device. An attacker with physical access to the…

  • CVE-2018-14781MedAug 13, 2018
    risk 0.35cvss 5.3epss 0.01

    Medtronic MiniMed MMT devices when paired with a remote controller and having the “easy bolus” and “remote bolus” options enabled (non-default), are vulnerable to a capture-replay attack. An attacker can capture the wireless transmissions between the remote controller…

  • CVE-2018-10622MedAug 10, 2018
    risk 0.34cvss 5.2epss 0.00

    Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials for network authentication.

  • CVE-2018-5446MedMay 4, 2018
    risk 0.32cvss 4.9epss 0.00

    Medtronic 2090 CareLink Programmer uses a per-product username and password that is stored in a recoverable format.

  • CVE-2022-32537MedDec 12, 2022
    risk 0.31cvss 4.8epss 0.00

    A vulnerability exists which could allow an unauthorized user to learn aspects of the communication protocol used to pair system components while the pump is being paired with other system components. Exploitation requires nearby wireless signal proximity with the patient and…

  • CVE-2018-10634MedAug 13, 2018
    risk 0.31cvss 4.8epss 0.00

    Communications between Medtronic MiniMed MMT pumps and wireless accessories are transmitted in cleartext. A sufficiently skilled attacker could capture these transmissions and extract sensitive information, such as device serial numbers.

  • CVE-2018-5448MedMay 4, 2018
    risk 0.31cvss 4.8epss 0.01

    Medtronic 2090 CareLink Programmer’s software deployment network contains a directory traversal vulnerability that could allow an attacker to read files on the system.

  • CVE-2018-8849MedMay 18, 2018
    risk 0.30cvss 4.6epss 0.00

    Medtronic N'Vision Clinician Programmer 8840 N'Vision Clinician Programme and 8870 N'Vision removable Application Card do not encrypt PII and PHI while at rest.

  • CVE-2018-10626MedAug 10, 2018
    risk 0.29cvss 4.4epss 0.00

    Medtronic MyCareLink Patient Monitor’s update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired implantable cardiac device information can potentially upload invalid data…

  • CVE-2023-31222Jun 29, 2023
    risk 0.02cvss epss 0.28

    Deserialization of untrusted data in Microsoft Messaging Queuing Service in Medtronic's Paceart Optima versions 1.11 and earlier on Windows allows an unauthorized user to impact a healthcare delivery organization’s Paceart Optima system cardiac device causing data to be…

  • CVE-2025-12997Dec 4, 2025
    risk 0.00cvss epss 0.00

    Insecure Direct Object Reference vulnerability in Medtronic CareLink Network which allows an authenticated attacker with access to specific device and user information to submit web requests to an API endpoint that would expose sensitive user information. This issue affects…

  • CVE-2025-12996Dec 4, 2025
    risk 0.00cvss epss 0.00

    Medtronic CareLink Network allows a local attacker with access to log files on an internal API server to view plaintext passwords from errors logged under certain circumstances. This issue affects CareLink Network: before December 4, 2025.

  • CVE-2025-12995Dec 4, 2025
    risk 0.00cvss epss 0.00

    Medtronic CareLink Network allows an unauthenticated remote attacker to perform a brute force attack on an API endpoint that could be used to determine a valid password under certain circumstances. This issue affects CareLink Network: before December 4, 2025.

  • CVE-2025-12994Dec 4, 2025
    risk 0.00cvss epss 0.00

    Medtronic CareLink Network allows an unauthenticated remote attacker to initiate a request for security questions to an API endpoint that could be used to determine a valid user account. This issue affects CareLink Network: before December 4, 2025.

  • CVE-2023-25931Mar 1, 2023
    risk 0.00cvss epss 0.00

    Medtronic identified that the Pelvic Health clinician apps, which are installed on the Smart Programmer mobile device, have a password vulnerability that requires a security update to fix. Not updating could potentially result in unauthorized control of the clinician therapy…

  • CVE-2020-27252Dec 14, 2020
    risk 0.00cvss epss 0.04

    Medtronic MyCareLink Smart 25000 is vulnerable to a race condition in the MCL Smart Patient Reader software update system, which allows unsigned firmware to be uploaded and executed on the Patient Reader. If exploited, an attacker could remotely execute code on the MCL Smart…

  • CVE-2020-25187Dec 14, 2020
    risk 0.00cvss epss 0.04

    Medtronic MyCareLink Smart 25000 is  vulnerable when an authenticated attacker runs a debug command, which can be sent to the patient reader and cause a heap overflow event within the MCL Smart Patient Reader software stack. The heap overflow could allow an attacker to…

  • CVE-2020-25183Dec 14, 2020
    risk 0.00cvss epss 0.01

    Medtronic MyCareLink Smart 25000 contains an authentication protocol vulnerability where the method used to authenticate between the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app is vulnerable to bypass. This vulnerability enables an attacker to use…

  • CVE-2019-13531Nov 8, 2019
    risk 0.00cvss epss 0.00

    In Medtronic Valleylab FT10 Energy Platform (VLFT10GEN) version 2.1.0 and lower and version 2.0.3 and lower, and Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States) version 1.20.2 and lower, the RFID security mechanism used for authentication between…

  • CVE-2019-13535Nov 8, 2019
    risk 0.00cvss epss 0.00

    In Medtronic Valleylab FT10 Energy Platform (VLFT10GEN) version 2.1.0 and lower and version 2.0.3 and lower, and Valleylab LS10 Energy Platform (VLLS10GEN—not available in the United States) version 1.20.2 and lower, the RFID security mechanism does not apply read protection,…

  • CVE-2019-13539Nov 8, 2019
    risk 0.00cvss epss 0.00

    Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use the descrypt algorithm for OS password hashing. While…

  • CVE-2019-13543Nov 8, 2019
    risk 0.00cvss epss 0.02

    Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use multiple sets of hard-coded credentials. If discovered, they…

  • CVE-2019-10964Jun 28, 2019
    risk 0.00cvss epss 0.01

    Medtronic MiniMed Insulin Pumps are designed to communicate using a wireless RF with other devices, such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. This wireless RF communication protocol does not properly implement authentication or…

  • CVE-2019-6540Mar 26, 2019
    risk 0.00cvss epss 0.00

    The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D…

  • CVE-2019-6538Mar 25, 2019
    risk 0.00cvss epss 0.01

    The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D…

  • CVE-2018-18984Dec 14, 2018
    risk 0.00cvss epss 0.00

    Medtronic CareLink and Encore Programmers do not encrypt or do not sufficiently encrypt sensitive PII and PHI information while at rest .

  • CVE-2011-3386Sep 2, 2011
    risk 0.00cvss epss 0.01

    Unspecified vulnerability in Medtronic Paradigm wireless insulin pump 512, 522, 712, and 722 allows remote attackers to modify the delivery of an insulin bolus dose and cause a denial of service (adverse human health effects) via unspecified vectors involving wireless…