PatchSiren cyber security CVE debrief
CVE-2018-10622 Medtronic CVE debrief
CVE-2018-10622 describes a weakness in Medtronic MyCareLink Patient Monitor models 24950 and 24952 where per-product credentials are stored in a recoverable format. CISA says an attacker could use those credentials for network authentication. The advisory characterizes the issue as a low-risk finding and notes that physical tampering with the monitor would be needed to exploit it. Medtronic began deploying security updates in June 2025, and CISA’s CSAF record was initially published on 2025-07-24 with an Update A revision on 2026-05-07.
- Vendor
- Medtronic
- Product
- MyCareLink Patient Monitor model 24950
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2018-08-10
- Original CVE updated
- 2026-05-19
- Advisory published
- 2018-08-10
- Advisory updated
- 2026-05-19
Who should care
Healthcare organizations, clinicians, biomedical engineering teams, home-monitor support staff, and patients using Medtronic MyCareLink Patient Monitor units should care. Security teams responsible for connected medical devices and inventory of patient-owned home monitors should also review it.
Technical summary
The advisory states that Medtronic MyCareLink Patient Monitor uses per-product credentials stored in a recoverable format. If an attacker physically tampers with the device, those credentials may be extracted and then used for network authentication. CISA links the issue to MyCareLink Patient Monitor model 24950 and 24952 and assigns CVSS 3.1 vector AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (6.8, Medium).
Defensive priority
Medium priority. The issue is impactful because recovered credentials could enable unauthorized network authentication, but the advisory indicates physical tampering is required and Medtronic classed the findings as low-risk. Prioritize verification that affected monitors receive the security update and that patients retain possession of the devices.
Recommended defensive actions
- Ensure affected home monitors are connected to the internet so the automatic security update process can complete.
- Verify whether MyCareLink Patient Monitor models 24950 or 24952 are in your fleet or patient inventory.
- Keep home monitors in the possession of the intended user and do not transfer devices outside approved channels.
- Prescribe and distribute monitors only as intended, using devices provided directly by a healthcare provider or a Medtronic representative.
- If additional assistance is needed, contact Medtronic security at [email protected].
- Follow CISA guidance on securing IoT devices and home network security for connected medical equipment.
Evidence notes
All substantive claims here are taken from the supplied CISA CSAF record and its remediation text. The record identifies Medtronic MyCareLink Patient Monitor models 24950 and 24952, states that per-product credentials are stored in a recoverable format, and says an attacker can use them for network authentication. The remediation text says the findings were reported as low-risk, exploitation would require physical tampering, and security updates began deploying in June 2025. The supplied metadata also provides the CVSS 3.1 vector and the publication/update dates for the advisory record.
Official resources
-
CVE-2018-10622 CVE record
CVE.org
-
CVE-2018-10622 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA CSAF advisory ICSMA-25-205-01 on 2025-07-24, with Update A on 2026-05-07. Use the advisory publication date, not the later enrichment or review time, as the issue-disclosure context.