Description
Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials to modify encrypted drive data.
Published: 2026-05-07
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Medtronic MyCareLink Patient Monitor uses per‑product credentials stored in a recoverable format. An attacker who obtains these credentials can alter the device’s encrypted drive data, potentially causing inaccurate patient monitoring information and jeopardizing clinical decision‑making. The weakness is classified as CWE‑313, an insecure handling of sensitive credentials, leading to unauthorized modification of data.

Affected Systems

The vulnerability affects Medtronic MyCareLink Patient Monitor models 24950 and 24952. No other model or version information is provided in the current advisory.

Risk and Exploitability

The CVSS score of 6.8 indicates a moderate severity, while EPSS data is unavailable and the vulnerability is not catalogued in CISA’s KEV list. The least‑privileged attacker would need valid credentials, which could be compromised through phishing, credential theft, or physical access. The likely attack vector is local or remote access to management interfaces that allow credential recovery. If the attacker succeeds, they can modify encrypted device storage, potentially leading to subtle data tampering that may go undetected.

Generated by OpenCVE AI on May 7, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Medtronic vendor patch or firmware update for MyCareLink Patient Monitor that secures per‑product credential storage.
  • Re‑configure credential handling to use non‑recoverable encrypted storage, such as a secure element or TPM, and enforce strong password policies.
  • Implement network segmentation, restrict management interface access, and monitor logs for anomalous credential usage or configuration changes.
  • If a patch is unavailable, disable or limit the recovery of per‑product credentials and require multi‑factor authentication for management access.

Generated by OpenCVE AI on May 7, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Medtronic
Medtronic mycarelink Monitor 24950
Medtronic mycarelink Monitor 24952
Vendors & Products Medtronic
Medtronic mycarelink Monitor 24950
Medtronic mycarelink Monitor 24952

Thu, 07 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials to modify encrypted drive data.
Title Medtronic MyCareLink Patient Monitor Data Encryption Weakness
Weaknesses CWE-313
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Medtronic Mycarelink Monitor 24950 Mycarelink Monitor 24952
cve-icon MITRE

Status: PUBLISHED

Assigner: Medtronic

Published:

Updated: 2026-05-07T15:45:18.202Z

Reserved: 2025-05-06T20:24:40.064Z

Link: CVE-2025-4397

cve-icon Vulnrichment

Updated: 2026-05-07T15:45:10.324Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T16:16:17.410

Modified: 2026-05-07T18:46:47.697

Link: CVE-2025-4397

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T18:00:11Z

Weaknesses