January 30, 2025

Summary

Medtronic verified that a vulnerability found in software from BeyondTrust, a third-party supplier, applies to the RemoteView™ and RemoteControl™ capabilities used primarily by Medtronic representatives to provide remote support with the CareLink™ 2090 programmer.

Medtronic has no indications of compromise to RemoteView™ and/or RemoteControl™, and no actions need to be taken.

On January 7, 2025, Medtronic decommissioned RemoteView™ and RemoteControl™ out of an abundance of caution. Medtronic representatives will continue to work with customers where this service was leveraged to arrange alternative support.

Products impacted

  • RemoteView™, a feature available on the Medtronic CareLink™ 2090 Programmer
  • RemoteControl™, an additional software product designed as an extension of RemoteView™ for use with the Medtronic CareLink™ 2090 programmer 

Vulnerability overview

The National Vulnerability Database (NVD) published CVE-2024-12356, a critical vulnerability in Privileged Remote Access (PRA) and Remote Support (RS) products from BeyondTrust. This vulnerability could “allow an unauthenticated attacker to inject commands that are run as a site user.” Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) released a Known Exploited Vulnerability (KEV) alert associated with these BeyondTrust software products. 

Medtronic has eliminated this vulnerability by disabling the servers supporting RemoteView™ and RemoteControl™ in its hosted IT environment. The CareLink™ 2090 programmer remains fully functional for in-person clinical use. 

Medtronic has not observed exploitation or access to data related to this issue.

Recommended actions

No customer actions are required.

For more information

Customers needing additional information should contact security@medtronic.com.

References:

Opt in to receive bulletins.

Sign up