CVE-2018-10622 (GCVE-0-2018-10622)
Vulnerability from cvelistv5
Published
2018-08-10 18:00
Modified
2026-06-04 14:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Medtronic MyCareLink Patient Monitor uses per-product credentials that
are stored in a recoverable format. An attacker can use these
credentials to modify encrypted drive data.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Medtronic | 24950 MyCareLink Monitor |
Version: All versions |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:46:47.036Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "105042",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/105042"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "24950 MyCareLink Monitor",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "24952 MyCareLink Monitor",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Billy Rios, Jesse Young, and Jonathan Butts of Whitescope LLC reported these vulnerabilities to CISA."
}
],
"datePublic": "2026-05-07T06:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\nMedtronic MyCareLink Patient Monitor uses per-product credentials that \nare stored in a recoverable format. An attacker can use these \ncredentials to modify encrypted drive data.\n\n\u003c/p\u003e"
}
],
"value": "Medtronic MyCareLink Patient Monitor uses per-product credentials that \nare stored in a recoverable format. An attacker can use these \ncredentials to modify encrypted drive data."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-313",
"description": "CWE-313",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T14:48:31.967Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"name": "105042",
"url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-8-7-18.html"
},
{
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-219-01"
},
{
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/105042"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2018/icsma-18-219-01.json"
}
],
"source": {
"advisory": "ICSMA-18-219-01",
"discovery": "EXTERNAL"
},
"title": "Medtronic MyCareLink 24950 Patient Monitor Cleartext Storage in a File or on Disk",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMedtronic recommends users take additional defensive measures to minimize the risk of exploitation. Specifically, users should:\u003c/p\u003e\n\u003cul\u003e\u003cli\u003eMaintain good physical control over the home monitor.\u003c/li\u003e\u003cli\u003eOnly use home monitors obtained directly from their healthcare \nprovider or a Medtronic representative to ensure integrity of the \nsystem.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "Medtronic recommends users take additional defensive measures to minimize the risk of exploitation. Specifically, users should:\n\n\n * Maintain good physical control over the home monitor.\n * Only use home monitors obtained directly from their healthcare \nprovider or a Medtronic representative to ensure integrity of the \nsystem."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMedtronic has released additional patient focused information, at the following location:\u003c/p\u003e\n\u003cp\u003e\u003ca href=\"https://www.medtronic.com/security\"\u003ehttps://www.medtronic.com/security\u003c/a\u003e\u003c/p\u003e"
}
],
"value": "Medtronic has released additional patient focused information, at the following location:\n\n\n\n\n https://www.medtronic.com/security"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Users should follow CISA\u0027s guidance in the following areas:\u003cbr\u003e\n* \u003ca href=\"https://www.cisa.gov/news-events/news/securing-internet-things-iot\"\u003eSecuring the Internet of Things\u003c/a\u003e\u003cbr\u003e\n* \u003ca href=\"https://www.cisa.gov/news-events/news/home-network-security\"\u003eHome Network Security\u003c/a\u003e"
}
],
"value": "Users should follow CISA\u0027s guidance in the following areas:\n\n* Securing the Internet of Things https://www.cisa.gov/news-events/news/securing-internet-things-iot \n\n* Home Network Security https://www.cisa.gov/news-events/news/home-network-security"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2018-08-07T00:00:00",
"ID": "CVE-2018-10626",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Medtronic MyCareLink 24950, 24952 Patient Monitor",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
}
]
},
"vendor_name": "ICS-CERT"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was discovered in all versions of Medtronic MyCareLink 24950 and 24952 Patient Monitor. The affected product\u0027s update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired implantable cardiac device information can potentially upload invalid data to the Medtronic CareLink network."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "105042",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/105042"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-219-01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2018-10622",
"datePublished": "2018-08-10T18:00:00.000Z",
"dateReserved": "2018-05-01T00:00:00.000Z",
"dateUpdated": "2026-06-04T14:48:31.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…