{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Smart Model 25000 Patient Reader", "vendor": "Medtronic", "versions": [{"status": "affected", "version": "All versions"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Sternum, based in Tel Aviv, Israel, discovered and initially reported these vulnerabilities to Medtronic."}, {"lang": "en", "type": "finder", "value": "Eric Gustafson, Sara Rampazzi, Paul Grosen, Christopher Kruegel, and Giovanni Vigna from the University of California Santa Barbara, University of Florida, and University of Michigan"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Medtronic MyCareLink Smart 25000 contains \n\n<span style=\"background-color: rgb(255, 255, 255);\">an authentication protocol vulnerability where the method used to authenticate between the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app is vulnerable to bypass. This vulnerability enables an attacker to use another mobile device or malicious application on the patient\u2019s smartphone to authenticate to the patient\u2019s Medtronic Smart Reader, fooling the device into believing it is communicating with the original Medtronic smart phone application when executed within range of Bluetooth communication.</span>\n\n</p>"}], "value": "Medtronic MyCareLink Smart 25000 contains \n\nan authentication protocol vulnerability where the method used to authenticate between the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app is vulnerable to bypass. This vulnerability enables an attacker to use another mobile device or malicious application on the patient\u2019s smartphone to authenticate to the patient\u2019s Medtronic Smart Reader, fooling the device into believing it is communicating with the original Medtronic smart phone application when executed within range of Bluetooth communication."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-05-22T19:34:29.069Z"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-smart-security-vulnerability-patch.html"}, {"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-20-345-01"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A firmware update to eliminates these vulnerabilities has been developed by Medtronic and is available by updating the MyCareLink Smartapp via the associated mobile application store. Upgrading to the latest v5.2 mobile application version will ensure the Patient Reader is also updated on next use. The user\u2019s smart phone must be updated to the following operating system version for the patches to be applied: iOS 10 and above; Android 6.0 and above.</p><p>Medtronic has released additional <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.medtronic.com/security\">patient focused information</a>: </p><p><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.medtronic.com/xg-en/product-security/security-bulletins.html\">https://www.medtronic.com/xg-en/product-security/security-bulletins.html </a></p>\n\n<br>"}], "value": "A firmware update to eliminates these vulnerabilities has been developed by Medtronic and is available by updating the MyCareLink Smartapp via the associated mobile application store. Upgrading to the latest v5.2 mobile application version will ensure the Patient Reader is also updated on next use. The user\u2019s smart phone must be updated to the following operating system version for the patches to be applied: iOS 10 and above; Android 6.0 and above.\n\nMedtronic has released additional patient focused information https://www.medtronic.com/security : \n\n https://www.medtronic.com/xg-en/product-security/security-bulletins.html https://www.medtronic.com/xg-en/product-security/security-bulletins.html"}], "source": {"advisory": "ICSMA-20-345-01", "discovery": "EXTERNAL"}, "title": "Medtronic MyCareLink Smart Improper Authentication", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In response to these vulnerabilities, Medtronic has applied additional controls for monitoring and responding to improper use of the MCL Smart Patient Reader:</p><ul><li>Medtronic has implemented enhanced integrity validation (EIV) technology, which provides early detection and real-time mitigation of known vulnerability exploitation attempts.</li><li>Medtronic has also implemented advanced detection system technology, which enables device-level logging and monitoring of all device activity and behavior.</li></ul><p>Medtronic recommends that users take additional defensive measures to minimize risk. Specifically, users should:</p><ul><li>Maintain good physical control over home monitors.<ul><li>This includes only using home monitors in private environments such as a home, apartment, or otherwise physically controlled environment.</li></ul></li><li>Use only home monitors obtained directly from your healthcare provider or a Medtronic representative.</li><li>Patients should ensure that the operating system of their mobile phone is updated to the latest version of the available Android or Apple iOS operating system.</li></ul><p>Report any concerning behavior regarding these products to your healthcare provider or a Medtronic representative.</p>\n\n<br>"}], "value": "In response to these vulnerabilities, Medtronic has applied additional controls for monitoring and responding to improper use of the MCL Smart Patient Reader:\n\n * Medtronic has implemented enhanced integrity validation (EIV) technology, which provides early detection and real-time mitigation of known vulnerability exploitation attempts.\n * Medtronic has also implemented advanced detection system technology, which enables device-level logging and monitoring of all device activity and behavior.\n\n\nMedtronic recommends that users take additional defensive measures to minimize risk. Specifically, users should:\n\n * Maintain good physical control over home monitors. * This includes only using home monitors in private environments such as a home, apartment, or otherwise physically controlled environment.\n\n\n\n * Use only home monitors obtained directly from your healthcare provider or a Medtronic representative.\n * Patients should ensure that the operating system of their mobile phone is updated to the latest version of the available Android or Apple iOS operating system.\n\n\nReport any concerning behavior regarding these products to your healthcare provider or a Medtronic representative."}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2020-25183", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Medtronic MyCareLink Smart 25000 Reader", "version": {"version_data": [{"version_value": "Smart 25000 all versions"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Medtronic MyCareLink Smart 25000 all versions contain an authentication protocol vuln where the method used to auth between MCL Smart Patient Reader and MyCareLink Smart mobile app is vulnerable to bypass. This vuln allows attacker to use other mobile device or malicious app on smartphone to auth to the patient\u2019s Smart Reader, fools the device into thinking its communicating with the actual smart phone application when executed in range of Bluetooth."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "IMPROPER AUTHENTICATION CWE-287"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsma-20-345-01", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-345-01"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:26:09.773Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-345-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2020-25183", "datePublished": "2020-12-14T19:18:44", "dateReserved": "2020-09-04T00:00:00", "dateUpdated": "2025-05-22T19:34:29.069Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:medtronic:mycarelink_smart_model_25000_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E4540F2-921F-4B45-9C30-D1E3F7BE741F", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:medtronic:mycarelink_smart_model_25000:-:*:*:*:*:*:*:*", "matchCriteriaId": "06DAC262-42EB-440C-A2B2-3A24A88C05B0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Medtronic MyCareLink Smart 25000 contains \n\nan authentication protocol vulnerability where the method used to authenticate between the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app is vulnerable to bypass. This vulnerability enables an attacker to use another mobile device or malicious application on the patient\u2019s smartphone to authenticate to the patient\u2019s Medtronic Smart Reader, fooling the device into believing it is communicating with the original Medtronic smart phone application when executed within range of Bluetooth communication."}, {"lang": "es", "value": "Todas las versiones de Medtronic MyCareLink Smart 25000 contienen una vulnerabilidad del protocolo de autenticaci\u00f3n donde el m\u00e9todo usado para la autenticaci\u00f3n entre MCL Smart Patient Reader y la aplicaci\u00f3n m\u00f3vil MyCareLink Smart es vulnerable a una omisi\u00f3n.&#xa0;Esta vulnerabilidad permite al atacante usar otro dispositivo m\u00f3vil o aplicaci\u00f3n maliciosa en el tel\u00e9fono inteligente para autenticarse en el Smart Reader del paciente, enga\u00f1a al dispositivo para que crea que se est\u00e1 comunicando con la aplicaci\u00f3n real del tel\u00e9fono inteligente cuando se ejecutaba en el alcance del Bluetooth."}], "id": "CVE-2020-25183", "lastModified": "2025-05-22T20:15:21.237", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-12-14T20:15:12.590", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-smart-security-vulnerability-patch.html"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-20-345-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-345-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}