July 24, 2025

Summary

An external security researcher identified vulnerabilities related to the MyCareLink™ patient monitor. These vulnerabilities relate to specific functions and interfaces associated with the MyCareLink™ patient monitor Models 24950 and 24952.

The MyCareLink™ patient monitor is a part of the remote monitoring system for patients with Medtronic implantable cardiac devices. This system enables patients to securely transmit their cardiac device data to the Medtronic CareLink™ network. Clinicians can then access the transmitted data, supporting timely review and management of the patient’s cardiac health.

Exploitation of this vulnerability would not cause direct patient harm, but could potentially lead to system compromise, unauthorized access to sensitive data, and manipulation of the monitor’s functionality.

Medtronic has not observed malicious exploitation related to these vulnerabilities.

Products impacted

  • MyCareLink™ patient monitor Model 24950, all versions
  • MyCareLink™ patient monitor Model 24952, all versions

The identified vulnerabilities were reported as low-risk findings. An attacker would need to physically tamper with the monitor to exploit them. In response, starting in June 2025, Medtronic began deploying security updates to address these findings.

Recommended actions from Medtronic

  • The security update process is performed automatically when the monitor is connected to the internet. Patients should ensure that their remote monitor is plugged in to receive updates.
  • Physicians should continue to prescribe monitors as intended.
  • Patients should maintain possession of their home monitor.
  • Patients should only use home monitors provided directly from a healthcare provider or a Medtronic representative.

For more information

Customers needing additional information should contact security@medtronic.com.

For U.S. customers and patients only: Reach out to Medtronic Stay Connected at 800-929-4043, available Monday through Friday 7:00 AM to 7:00 PM Central Time.
 

References:

CVE-2025-4393
CVE-2025-4394
CVE-2025-4395

Cybersecurity and Infrastructure Security Agency (CISA) has published a corresponding security advisory related to this disclosure.

We want to acknowledge the efforts of security researchers Ethan Morchy from Somerset Recon and Carl Mann, an independent researcher, in collaborating with Medtronic through the Coordinated Vulnerability Disclosure process.

Opt in to receive bulletins.

Sign up