Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system.
Fixes

Solution

Medtronic will release several rolling over-the-air product updates that will mitigate the vulnerabilities described within this advisory. These updates will be applied to devices automatically as part of standard, reoccurring update processes. In addition, Medtronic has increased security monitoring of affected devices and related infrastructure. Medtronic has released additional patient focused information, at the following location: https://www.medtronic.com/security


Workaround

Medtronic recommends users take additional defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: * Maintain good physical controls over the home monitor as the best mitigation to these vulnerabilities.   * Only use home monitors obtained directly from their healthcare provider or a Medtronic representative to ensure integrity of the system. * Report any concerning behavior regarding their home monitor to their healthcare provider or a Medtronic representative. Medtronic has released additional patient focused information, at the following location: https://www.medtronic.com/security

History

Thu, 22 May 2025 18:30:00 +0000

Type Values Removed Values Added
Description Medtronic MyCareLink Patient Monitor, 24950 MyCareLink Monitor, all versions, and 24952 MyCareLink Monitor, all versions contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system. Medtronic 24950 MyCareLink Monitor and 24952 MyCareLink Monitor contains a hard-coded operating system password. An attacker with physical access can remove the case of the device, connect to the debug port, and use the password to gain privileged access to the operating system.
Title Medtronic MyCareLink Patient Monitor Use of Hard-coded Password
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2025-05-22T18:10:03.426Z

Reserved: 2018-03-20T00:00:00

Link: CVE-2018-8870

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-07-03T01:29:01.940

Modified: 2025-05-22T19:15:22.237

Link: CVE-2018-8870

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.