CVE-2025-4397 PUBLISHED

Medtronic MyCareLink Patient Monitor Data Encryption Weakness

Assigner: Medtronic
Reserved: 06.05.2025 Published: 07.05.2026 Updated: 07.05.2026

Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials to modify encrypted drive data.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 6.8

Attack Vector	Physical	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Medtronic
Product	MyCareLink Patient Monitor 24950
Versions	Default: unaffected affected from 0 to February 25, 2026 (excl.)

Vendor	Medtronic
Product	MyCareLink Patient Monitor 24952
Versions	Default: unaffected affected from 0 to February 25, 2026 (excl.)

Credits

Ethan Morchy, with Somerset Recon finder
Carl Mann, independent researcher finder
Billy Rios, Jesse Young, and Jonathan Butts of Whitescope LLC reported these vulnerabilities finder

CVE-2025-4397 PUBLISHED

Medtronic MyCareLink Patient Monitor Data Encryption Weakness

Metrics

Product Status

Credits

References

Problem Types

Impacts