Security bulletins
CareLink Network vulnerabilities
Medtronic brought a non-production version of our CareLink™ Network to a security conference for external researchers to interact with in a safe environment.
December 4, 2025
Summary
As part of our ongoing commitment to cybersecurity and patient safety, Medtronic brought a non-production version of our CareLink™ Network to a security conference for external researchers to interact with in a safe environment. As a result of this collaboration, external security researchers identified four vulnerabilities that Medtronic addressed via a CareLink™ Network release in December 2025. No action from customers is necessary to complete the updates.
The CareLink™ Network is a Medtronic remote monitoring system (web application) for compatible Medtronic cardiovascular implantable electronic devices, including pacemakers and defibrillators, facilitating physicians’ care of patients.
Exploitation of these vulnerabilities would not cause direct patient harm. Under certain circumstances, an attacker could submit a web request to vulnerable application programming interface (API) endpoints to enumerate users, determine valid passwords, and view user information.
These vulnerabilities are specific to the non-medical portion of the CareLink™ Network only and do not apply to CareLink™ home monitors or app-based monitors.
At this time, Medtronic has not observed any cyberattacks, unauthorized access to patient data, or harm to patients related to these findings.
Products impacted
- CareLink™ Network
Note: CareLink™ Personal Software for Medtronic diabetes products is a different system and unrelated to this report.
Vulnerability Details:
Recommended Actions
- No action from customers is needed. Patients and physicians should continue using the CareLink™ Network as intended.
For more information
Customers needing additional information about security should contact security@medtronic.com.
For U.S. customers and patients with questions about CareLink: Reach out to Medtronic Stay Connected at 800-929-4043, available Monday through Friday 7:00 AM to 7:00 PM Central Time.
We want to acknowledge the efforts of security researchers who participated in the Biohacking Village at DEF CON™ 33 and their collaboration with Medtronic through the Coordinated Vulnerability Disclosure process.