Vulnerability Details : CVE-2018-10626
A vulnerability was discovered in all versions of Medtronic MyCareLink 24950 and 24952 Patient Monitor. The affected product's update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired implantable cardiac device information can potentially upload invalid data to the Medtronic CareLink network.
Products affected by CVE-2018-10626
- cpe:2.3:o:medtronic:mycarelink_24952_patient_monitor_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:medtronic:mycarelink_24950_patient_monitor_firmware:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-10626
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 8 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-10626
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.8
|
LOW | AV:A/AC:M/Au:S/C:P/I:P/A:N |
4.4
|
4.9
|
NIST | |
4.4
|
MEDIUM | CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N |
1.3
|
2.7
|
NIST |
CWE ids for CVE-2018-10626
-
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.Assigned by:
- ics-cert@hq.dhs.gov (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2018-10626
-
https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-01
Medtronic MyCareLink 24950 Patient Monitor | CISAThird Party Advisory;US Government Resource
-
http://www.securityfocus.com/bid/105042
Medtronic MyCareLink Patient Monitor Security Bypass and Information Disclosure VulnerabilitiesThird Party Advisory;VDB Entry
Jump to