CVE-2018-8849 - Vulnerability Details

Medtronic N'Vision Clinician Programmer 8840 N'Vision Clinician Programme and 8870 N'Vision removable Application Card do not encrypt PII and PHI while at rest.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00083.

Key SSVC decision points have not yet been added.

Vendors	Products
Medtronic	N\'vision 8840 N\'vision 8840 Firmware N\'vision 8870 N\'vision 8870 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:medtronic:n\'vision_8840_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:medtronic:n\'vision_8840:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:medtronic:n\'vision_8870_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:medtronic:n\'vision_8870:-:*:*:*:*:*:*:*

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2018-20457	Medtronic N'Vision Clinician Programmer 8840 N'Vision Clinician Programmer, all versions, and 8870 N'Vision removable Application Card, all versions does not encrypt PII and PHI while at rest.

Fixes

Solution

No solution given by the vendor.

Workaround

Medtronic has not developed a product update to address the vulnerabilities, but is reinforcing security reminders within this advisory to help reduce the risk associated with the vulnerabilities. The 8870 Therapy Application card stores PHI and PII as part of its normal operating procedure and should be handled, managed and secured in a manner consistent with the applicable laws for patient data privacy. Medtronic recommends users take additional defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, hospitals and clinicians should: * Maintain strict physical control of the 8870 application card. * Use only legitimately obtained 8870 cards and not cards provided by any third party as firmware and system updates are provided directly by Medtronic using new 8870 application cards. * 8840 Programmers and 8870 Therapy Application compact flash cards are the property of Medtronic and should be returned to Medtronic when no longer in use. If that is not an option, you should securely dispose of them. Medtronic has released additional patient focused information, at the following location: https://www.medtronic.com/security

References

Link	Providers
http://www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/Medtronic-NVision-8840_Security-Bulletin_FINAL.pdf
http://www.securityfocus.com/bid/104213
https://ics-cert.us-cert.gov/advisories/ICSMA-18-137-01
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-137-01
https://www.medtronic.com/security

History

Fri, 27 Jun 2025 16:45:00 +0000

Type	Values Removed	Values Added
Description	Medtronic N'Vision Clinician Programmer 8840 N'Vision Clinician Programmer, all versions, and 8870 N'Vision removable Application Card, all versions does not encrypt PII and PHI while at rest.	Medtronic N'Vision Clinician Programmer 8840 N'Vision Clinician Programme and 8870 N'Vision removable Application Card do not encrypt PII and PHI while at rest.
Title		Medtronic N'Vision Clinician Programmer Missing Encryption of Sensitive Data
References		https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-137-01 https://www.medtronic.com/security
Metrics		cvssV3_1 `{'score': 4.6, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2018-05-18T13:00:00Z

Updated: 2025-06-27T16:24:54.910Z

Reserved: 2018-03-20T00:00:00

Link: CVE-2018-8849

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-05-18T13:29:00.427

Modified: 2025-06-27T17:15:32.103

Link: CVE-2018-8849

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object