CVE-2020-27252

Medtronic MyCareLink Smart Time-of-check Time-of-use Race Condition

CVSS 8.8 HIGHEPSS 3.7%CWE-367

Medtronic MyCareLink Smart 25000 is vulnerable to a race condition in the MCL Smart Patient Reader software update system, which allows unsigned firmware to be uploaded and executed on the Patient Reader. If exploited, an attacker could remotely execute code on the MCL Smart Patient Reader device, leading to control of the device.

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected products

Medtronic · Smart Model 25000 Patient Reader

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-smart-security-vulnerability-patch.html https://us-cert.cisa.gov/ics/advisories/icsma-20-345-01 https://www.cisa.gov/news-events/ics-medical-advisories/icsma-20-345-01