Home

Description

Medtronic MyCareLink Patient Monitor has a built-in user account with an empty password, which allows an attacker with physical access to log in with no password and access modify system functionality. This issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025

PUBLISHED Reserved 2025-05-06 | Published 2025-07-24 | Updated 2026-03-27 | Assigner Medtronic




MEDIUM: 6.8CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-258 Empty Password in Configuration File

Product status

Default status
unaffected

Any version before June 25, 2025
affected

Default status
unaffected

Any version before June 25, 2025
affected

Credits

Ethan Morchy, with Somerset Recon finder

Carl Mann, independent researcher finder

References

www.medtronic.com/...nk-patient-monitor-vulnerabilities.html vendor-advisory

www.cisa.gov/...vents/ics-medical-advisories/icsma-25-205-01 third-party-advisory

cve.org (CVE-2025-4395)

nvd.nist.gov (CVE-2025-4395)

Download JSON