Strix
26.1K

CVE-2019-6540

MEDIUMCVSS 6.5/10EPSS 0.19%

Last modified

CVE-2019-6540 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, and Viva CRT-D does not implement encryption. An attacker with adjacent short-range access to a target product can listen to communications, including the transmission of sensitive data.. EPSS estimates a 0.19% chance of exploitation in the next 30 days.

Description

The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, and Viva CRT-D does not implement encryption. An attacker with adjacent short-range access to a target product can listen to communications, including the transmission of sensitive data.

Metrics

CVSS 3.1
6.5/10

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability
0.19%

9.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
MedtronicMycarelink Monitor 24950 FirmwareAll versions
MedtronicMycarelink Monitor 24952 FirmwareAll versions
MedtronicCarelink Monitor 2490c FirmwareAll versions
MedtronicCarelink 2090 FirmwareAll versions
MedtronicAmplia Crt-D FirmwareAll versions
MedtronicClaria Crt-D FirmwareAll versions
MedtronicCompia Crt-D FirmwareAll versions
MedtronicConcerto Crt-D FirmwareAll versions
MedtronicConcerto Ii Crt-D FirmwareAll versions
MedtronicConsulta Crt-D FirmwareAll versions
MedtronicEvera Icd FirmwareAll versions
MedtronicMaximo Ii Crt-D FirmwareAll versions
MedtronicMaximo Ii Icd FirmwareAll versions
MedtronicMirro Icd FirmwareAll versions
MedtronicNayamed Nd Icd FirmwareAll versions
MedtronicPrimo Icd FirmwareAll versions
MedtronicProtecta Icd FirmwareAll versions
MedtronicProtecta Crt-D FirmwareAll versions
MedtronicSecura Icd FirmwareAll versions
MedtronicVirtuoso Icd FirmwareAll versions
MedtronicVirtuoso Ii Icd FirmwareAll versions
MedtronicVisia Af Icd FirmwareAll versions
MedtronicViva Crt-D FirmwareAll versions

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2019-6540?
The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, and Viva CRT-D does not implement encryption. An attacker with adjacent short-range access to a target product can listen to communications, including the transmission of sensitive data.
How severe is CVE-2019-6540?
CVE-2019-6540 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.19% probability of exploitation in the next 30 days.
How do I fix CVE-2019-6540?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-6540?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST