Home

Description

Medtronic MyCareLink Patient Monitor has an internal service that deserializes data, which allows a local attacker to interact with the service by crafting a binary payload to crash the service or elevate privileges. This issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025

PUBLISHED Reserved 2025-05-06 | Published 2025-07-24 | Updated 2026-03-27 | Assigner Medtronic




MEDIUM: 6.5CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Default status
unaffected

Any version before June 25, 2025
affected

Default status
unaffected

Any version before June 25, 2025
affected

Credits

Ethan Morchy, with Somerset Recon finder

Carl Mann, independent researcher finder

References

www.medtronic.com/...nk-patient-monitor-vulnerabilities.html vendor-advisory

www.cisa.gov/...vents/ics-medical-advisories/icsma-25-205-01 third-party-advisory

cve.org (CVE-2025-4393)

nvd.nist.gov (CVE-2025-4393)

Download JSON