CVE-2017-5149 Abbott CVE debrief

Who should care

Healthcare organizations, biomedical engineering teams, and security staff responsible for Merlin@home deployments, including RF model EX1150 and inductive model EX1100 systems and EX1100 systems with MerlinOnDemand capability.

Technical summary

The core flaw is missing endpoint identity verification on the [email protected] communication path. Without that check, a network-positioned attacker may be able to intercept or alter traffic in transit. The CVE description states affected versions are prior to 8.2.2; NVD CPE data also marks Merlin@home firmware through 8.0 and identifies the EX1100 and EX1150 hardware models. NVD classifies the weakness as CWE-476.

Defensive priority

High. NVD rates the issue 8.9 (HIGH) with a network attack vector and high integrity/availability impact, so affected environments should treat remediation as urgent.

Recommended defensive actions

• Inventory Merlin@home deployments and identify EX1150, EX1100, and EX1100 with MerlinOnDemand systems.
• Upgrade affected Merlin@home software/firmware to version 8.2.2 or later, per the CVE description.
• Follow any vendor or US-CERT mitigation guidance for securing Merlin.net communications and related device communications.
• If upgrading cannot happen immediately, isolate affected systems as much as possible and monitor for abnormal network activity involving Merlin@home devices.

Evidence notes

The source corpus includes the official CVE record and NVD detail, which provide the published date, severity, CVSS vector (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H), and CWE-476 classification. NVD's reference list cites ICS-CERT advisory ICSMA-17-009-01A and a SecurityFocus BID entry. There is a scope discrepancy worth noting: the CVE description says versions prior to 8.2.2, while the NVD CPE data in the supplied corpus marks Merlin@home firmware through 8.0 as vulnerable.

Official resources