CVE-2020-25183

Medtronic MyCareLink Smart 25000 contains an authentication protocol vulnerability where the method used to authenticate between the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app is vulnerable to bypass. This vulnerability enables an attacker to use another mobile device or malicious application on the patient’s smartphone to authenticate to the patient’s Medtronic Smart Reader, fooling the device into believing it is communicating with the original Medtronic smart phone application when executed within range of Bluetooth communication.

CVSS v3 8.0 HIGH
CVSS v2.0 5.8 MEDIUM

8.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

5.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:A/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 6.5 / Impact : 6.4

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-smart-security-vulnerability-patch.html
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-20-345-01
https://us-cert.cisa.gov/ics/advisories/icsma-20-345-01	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:medtronic:mycarelink_smart_model_25000_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:medtronic:mycarelink_smart_model_25000:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-12-14 20:15

Updated : 2025-05-22 20:15

NVD link : CVE-2020-25183

Mitre link : CVE-2020-25183

CVE.ORG link : CVE-2020-25183

JSON object : View

Products Affected

medtronic

mycarelink_smart_model_25000
mycarelink_smart_model_25000_firmware

CWE

CWE-287

Improper Authentication

{"id": "CVE-2020-25183", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "[email protected]", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2020-12-14T20:15:12.590", "references": [{"url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/mycarelink-smart-security-vulnerability-patch.html", "source": "[email protected]"}, {"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-20-345-01", "source": "[email protected]"}, {"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-345-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-287"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "Medtronic MyCareLink Smart 25000 contains \n\nan authentication protocol vulnerability where the method used to authenticate between the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app is vulnerable to bypass. This vulnerability enables an attacker to use another mobile device or malicious application on the patient\u2019s smartphone to authenticate to the patient\u2019s Medtronic Smart Reader, fooling the device into believing it is communicating with the original Medtronic smart phone application when executed within range of Bluetooth communication."}, {"lang": "es", "value": "Todas las versiones de Medtronic MyCareLink Smart 25000 contienen una vulnerabilidad del protocolo de autenticaci\u00f3n donde el m\u00e9todo usado para la autenticaci\u00f3n entre MCL Smart Patient Reader y la aplicaci\u00f3n m\u00f3vil MyCareLink Smart es vulnerable a una omisi\u00f3n. Esta vulnerabilidad permite al atacante usar otro dispositivo m\u00f3vil o aplicaci\u00f3n maliciosa en el tel\u00e9fono inteligente para autenticarse en el Smart Reader del paciente, enga\u00f1a al dispositivo para que crea que se est\u00e1 comunicando con la aplicaci\u00f3n real del tel\u00e9fono inteligente cuando se ejecutaba en el alcance del Bluetooth."}], "lastModified": "2025-05-22T20:15:21.237", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:medtronic:mycarelink_smart_model_25000_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0E4540F2-921F-4B45-9C30-D1E3F7BE741F"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:medtronic:mycarelink_smart_model_25000:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "06DAC262-42EB-440C-A2B2-3A24A88C05B0"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "[email protected]"}