Search criteria
3 vulnerabilities found for MiniMed Paradigm 522K/722K pumps by Medtronic
VAR-201906-1020
Vulnerability from variot - Updated: 2023-12-18 13:52In Medtronic MinMed 508 and Medtronic Minimed Paradigm Insulin Pumps, Versions, MiniMed 508 pump – All versions, MiniMed Paradigm 511 pump – All versions, MiniMed Paradigm 512/712 pumps – All versions, MiniMed Paradigm 712E pump–All versions, MiniMed Paradigm 515/715 pumps–All versions, MiniMed Paradigm 522/722 pumps – All versions,MiniMed Paradigm 522K/722K pumps – All versions, MiniMed Paradigm 523/723 pumps – Software versions 2.4A or lower, MiniMed Paradigm 523K/723K pumps – Software, versions 2.4A or lower, MiniMed Paradigm Veo 554/754 pumps – Software versions 2.6A or lower, MiniMed Paradigm Veo 554CM and 754CM models only – Software versions 2.7A or lower, the affected insulin pumps are designed to communicate using a wireless RF with other devices, such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with adjacent access to one of the affected insulin pump models can inject, replay, modify, and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery. plural Medtronic Minimed The product contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Multiple Medtronic Products are prone to an security-bypass vulnerability. Successful exploits may allow an attacker to bypass certain security restrictions and to perform unauthorized actions; this may aid in launching further attacks. Medtronic MiniMed 508 pump and others are insulin pumps from Medtronic. This vulnerability stems from network systems or products not properly restricting access to resources from unauthorized roles
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201906-1020",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "minimed paradigm 722k",
"scope": "eq",
"trust": 1.0,
"vendor": "medtronic",
"version": "*"
},
{
"model": "minimed paradigm 723",
"scope": "lte",
"trust": 1.0,
"vendor": "medtronic",
"version": "2.4a"
},
{
"model": "minimed paradigm 722",
"scope": "eq",
"trust": 1.0,
"vendor": "medtronic",
"version": "*"
},
{
"model": "minimed paradigm 512",
"scope": "eq",
"trust": 1.0,
"vendor": "medtronic",
"version": "*"
},
{
"model": "minimed paradigm 712e",
"scope": "eq",
"trust": 1.0,
"vendor": "medtronic",
"version": "*"
},
{
"model": "minimed paradigm 523",
"scope": "lte",
"trust": 1.0,
"vendor": "medtronic",
"version": "2.4a"
},
{
"model": "minimed paradigm 712",
"scope": "eq",
"trust": 1.0,
"vendor": "medtronic",
"version": "*"
},
{
"model": "minimed paradigm 511",
"scope": "eq",
"trust": 1.0,
"vendor": "medtronic",
"version": "*"
},
{
"model": "minimed 508",
"scope": "eq",
"trust": 1.0,
"vendor": "medtronic",
"version": "*"
},
{
"model": "minimed paradigm 723k",
"scope": "lte",
"trust": 1.0,
"vendor": "medtronic",
"version": "2.4a"
},
{
"model": "minimed paradigm veo 554cm",
"scope": "lte",
"trust": 1.0,
"vendor": "medtronic",
"version": "2.7a"
},
{
"model": "minimed paradigm veo 754",
"scope": "lte",
"trust": 1.0,
"vendor": "medtronic",
"version": "2.6a"
},
{
"model": "minimed paradigm veo 754cm",
"scope": "eq",
"trust": 1.0,
"vendor": "medtronic",
"version": null
},
{
"model": "minimed paradigm 715",
"scope": "eq",
"trust": 1.0,
"vendor": "medtronic",
"version": "*"
},
{
"model": "minimed paradigm 515",
"scope": "eq",
"trust": 1.0,
"vendor": "medtronic",
"version": "*"
},
{
"model": "minimed paradigm 522",
"scope": "eq",
"trust": 1.0,
"vendor": "medtronic",
"version": "*"
},
{
"model": "minimed paradigm 522k",
"scope": "eq",
"trust": 1.0,
"vendor": "medtronic",
"version": "*"
},
{
"model": "minimed paradigm veo 554",
"scope": "lte",
"trust": 1.0,
"vendor": "medtronic",
"version": "2.6a"
},
{
"model": "minimed paradigm 523k",
"scope": "lte",
"trust": 1.0,
"vendor": "medtronic",
"version": "2.4a"
},
{
"model": "minimed 508",
"scope": null,
"trust": 0.8,
"vendor": "medtronic",
"version": null
},
{
"model": "minimed paradigm 511",
"scope": null,
"trust": 0.8,
"vendor": "medtronic",
"version": null
},
{
"model": "minimed paradigm 512",
"scope": null,
"trust": 0.8,
"vendor": "medtronic",
"version": null
},
{
"model": "minimed paradigm 515",
"scope": null,
"trust": 0.8,
"vendor": "medtronic",
"version": null
},
{
"model": "minimed paradigm 522",
"scope": null,
"trust": 0.8,
"vendor": "medtronic",
"version": null
},
{
"model": "minimed paradigm 522k",
"scope": null,
"trust": 0.8,
"vendor": "medtronic",
"version": null
},
{
"model": "minimed paradigm 712",
"scope": null,
"trust": 0.8,
"vendor": "medtronic",
"version": null
},
{
"model": "minimed paradigm 712e",
"scope": null,
"trust": 0.8,
"vendor": "medtronic",
"version": null
},
{
"model": "minimed paradigm 715",
"scope": null,
"trust": 0.8,
"vendor": "medtronic",
"version": null
},
{
"model": "minimed paradigm 722",
"scope": null,
"trust": 0.8,
"vendor": "medtronic",
"version": null
},
{
"model": "minimed paradigm veo 554cm and 754cm models 2.7a",
"scope": null,
"trust": 0.3,
"vendor": "medtronic",
"version": null
},
{
"model": "minimed paradigm veo pumps 2.6a",
"scope": "eq",
"trust": 0.3,
"vendor": "medtronic",
"version": "554/754"
},
{
"model": "minimed paradigm 712e pump",
"scope": "eq",
"trust": 0.3,
"vendor": "medtronic",
"version": "0"
},
{
"model": "minimed paradigm 523k/723k pumps 2.4a",
"scope": null,
"trust": 0.3,
"vendor": "medtronic",
"version": null
},
{
"model": "minimed paradigm pumps 2.4a",
"scope": "eq",
"trust": 0.3,
"vendor": "medtronic",
"version": "523/723"
},
{
"model": "minimed paradigm 522k/722k pumps",
"scope": "eq",
"trust": 0.3,
"vendor": "medtronic",
"version": "0"
},
{
"model": "minimed paradigm pumps",
"scope": "eq",
"trust": 0.3,
"vendor": "medtronic",
"version": "522/7220"
},
{
"model": "minimed paradigm pumps",
"scope": "eq",
"trust": 0.3,
"vendor": "medtronic",
"version": "515/7150"
},
{
"model": "minimed paradigm pumps",
"scope": "eq",
"trust": 0.3,
"vendor": "medtronic",
"version": "512/7120"
},
{
"model": "minimed paradigm pump",
"scope": "eq",
"trust": 0.3,
"vendor": "medtronic",
"version": "5110"
},
{
"model": "minimed pump",
"scope": "eq",
"trust": 0.3,
"vendor": "medtronic",
"version": "5080"
}
],
"sources": [
{
"db": "BID",
"id": "108926"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-006089"
},
{
"db": "NVD",
"id": "CVE-2019-10964"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:medtronic:minimed_508_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:medtronic:minimed_508:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:medtronic:minimed_paradigm_511_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:medtronic:minimed_paradigm_511:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:medtronic:minimed_paradigm_512_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:medtronic:minimed_paradigm_512:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:medtronic:minimed_paradigm_712_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:medtronic:minimed_paradigm_712:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:medtronic:minimed_paradigm_712e_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:medtronic:minimed_paradigm_712e:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:medtronic:minimed_paradigm_515_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:medtronic:minimed_paradigm_515:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:medtronic:minimed_paradigm_715_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:medtronic:minimed_paradigm_715:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:medtronic:minimed_paradigm_522_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:medtronic:minimed_paradigm_522:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:medtronic:minimed_paradigm_722_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:medtronic:minimed_paradigm_722:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:medtronic:minimed_paradigm_522k_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:medtronic:minimed_paradigm_522k:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:medtronic:minimed_paradigm_722k_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:medtronic:minimed_paradigm_722k:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:medtronic:minimed_paradigm_523_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.4a",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:medtronic:minimed_paradigm_523:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:medtronic:minimed_paradigm_723_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.4a",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:medtronic:minimed_paradigm_723:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:medtronic:minimed_paradigm_523k_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.4a",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:medtronic:minimed_paradigm_523k:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:medtronic:minimed_paradigm_723k_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.4a",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:medtronic:minimed_paradigm_723k:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:medtronic:minimed_paradigm_veo_554_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.6a",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:medtronic:minimed_paradigm_veo_554:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:medtronic:minimed_paradigm_veo_754_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.6a",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:medtronic:minimed_paradigm_veo_754:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:medtronic:minimed_paradigm_veo_554cm_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.7a",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:medtronic:minimed_paradigm_veo_554cm:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.7a",
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:medtronic:minimed_paradigm_veo_754cm_firmware:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:medtronic:minimed_paradigm_veo_754cm:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2019-10964"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Nathanael Paul, Jay Radcliffe, Barnaby Jack, Jonathan Butts and Jesse Young, Billy Rios, Medtronic., Jonathan Butts, and Jesse Young",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-1080"
}
],
"trust": 0.6
},
"cve": "CVE-2019-10964",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 6.5,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Adjacent Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 5.8,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2019-10964",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 6.5,
"id": "VHN-142563",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:A/AC:L/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Adjacent Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2019-10964",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2019-10964",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201906-1080",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-142563",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-142563"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-006089"
},
{
"db": "NVD",
"id": "CVE-2019-10964"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-1080"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "In Medtronic MinMed 508 and Medtronic Minimed Paradigm Insulin Pumps, Versions, MiniMed 508 pump \u2013 All versions, MiniMed Paradigm 511 pump \u2013 All versions, MiniMed Paradigm 512/712 pumps \u2013 All versions, MiniMed Paradigm 712E pump\u2013All versions, MiniMed Paradigm 515/715 pumps\u2013All versions, MiniMed Paradigm 522/722 pumps \u2013 All versions,MiniMed Paradigm 522K/722K pumps \u2013 All versions, MiniMed Paradigm 523/723 pumps \u2013 Software versions 2.4A or lower, MiniMed Paradigm 523K/723K pumps \u2013 Software, versions 2.4A or lower, MiniMed Paradigm Veo 554/754 pumps \u2013 Software versions 2.6A or lower, MiniMed Paradigm Veo 554CM and 754CM models only \u2013 Software versions 2.7A or lower, the affected insulin pumps are designed to communicate using a wireless RF with other devices, such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with adjacent access to one of the affected insulin pump models can inject, replay, modify, and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery. plural Medtronic Minimed The product contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Multiple Medtronic Products are prone to an security-bypass vulnerability. \nSuccessful exploits may allow an attacker to bypass certain security restrictions and to perform unauthorized actions; this may aid in launching further attacks. Medtronic MiniMed 508 pump and others are insulin pumps from Medtronic. This vulnerability stems from network systems or products not properly restricting access to resources from unauthorized roles",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-10964"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-006089"
},
{
"db": "BID",
"id": "108926"
},
{
"db": "VULHUB",
"id": "VHN-142563"
}
],
"trust": 1.98
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-10964",
"trust": 2.8
},
{
"db": "ICS CERT",
"id": "ICSMA-19-178-01",
"trust": 2.8
},
{
"db": "BID",
"id": "108926",
"trust": 2.0
},
{
"db": "JVNDB",
"id": "JVNDB-2019-006089",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201906-1080",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2019.2351",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-142563",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-142563"
},
{
"db": "BID",
"id": "108926"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-006089"
},
{
"db": "NVD",
"id": "CVE-2019-10964"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-1080"
}
]
},
"id": "VAR-201906-1020",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-142563"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T13:52:16.963000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.medtronicdiabetes.com/home"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-006089"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-287",
"trust": 1.1
},
{
"problemtype": "CWE-863",
"trust": 1.1
},
{
"problemtype": "CWE-284",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-142563"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-006089"
},
{
"db": "NVD",
"id": "CVE-2019-10964"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.8,
"url": "https://www.us-cert.gov/ics/advisories/icsma-19-178-01"
},
{
"trust": 2.3,
"url": "http://www.securityfocus.com/bid/108926"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-10964"
},
{
"trust": 0.9,
"url": "https://www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/medtronic_security_bulletin_diabetes_paradigm_062719_final.pdf"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10964"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.2351/"
},
{
"trust": 0.3,
"url": "https://www.medtronic.com"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-142563"
},
{
"db": "BID",
"id": "108926"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-006089"
},
{
"db": "NVD",
"id": "CVE-2019-10964"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-1080"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-142563"
},
{
"db": "BID",
"id": "108926"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-006089"
},
{
"db": "NVD",
"id": "CVE-2019-10964"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-1080"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-28T00:00:00",
"db": "VULHUB",
"id": "VHN-142563"
},
{
"date": "2019-06-27T00:00:00",
"db": "BID",
"id": "108926"
},
{
"date": "2019-07-09T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-006089"
},
{
"date": "2019-06-28T21:15:11.007000",
"db": "NVD",
"id": "CVE-2019-10964"
},
{
"date": "2019-06-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-1080"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-08-24T00:00:00",
"db": "VULHUB",
"id": "VHN-142563"
},
{
"date": "2019-06-27T00:00:00",
"db": "BID",
"id": "108926"
},
{
"date": "2019-07-09T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-006089"
},
{
"date": "2020-08-24T17:37:01.140000",
"db": "NVD",
"id": "CVE-2019-10964"
},
{
"date": "2020-08-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-1080"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote or local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-1080"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural Medtronic Minimed Access control vulnerabilities in products",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-006089"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "access control error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-1080"
}
],
"trust": 0.6
}
}
CVE-2019-10964 (GCVE-0-2019-10964)
Vulnerability from cvelistv5 – Published: 2019-06-28 20:58 – Updated: 2025-05-22 18:29
VLAI?
Summary
Medtronic MiniMed Insulin Pumps
are designed to communicate using a wireless RF with other devices, such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with adjacent access to one of the affected insulin pump models can inject, replay, modify, and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery.
Severity ?
7.1 (High)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Medtronic | MiniMed 508 pump |
Affected:
All versions
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Based on earlier work performed by external researchers including Nathanael Paul, Jay Radcliffe, and Barnaby Jack, and from recent work performed by external researchers Billy Rios, Jonathan Butts, and Jesse Young, Medtronic performed additional variant analysis and reported this vulnerability
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:40:15.617Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsma-19-178-01"
},
{
"name": "108926",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108926"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MiniMed 508 pump",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MiniMed Paradigm 511 pump",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MiniMed Paradigm 512/712 pumps",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MiniMed Paradigm 712E pump",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MiniMed Paradigm 515/715 pumps",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MiniMed Paradigm 522/722 pumps",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MiniMed Paradigm 522K/722K pumps",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MiniMed Paradigm 523/723 pumps",
"vendor": "Medtronic",
"versions": [
{
"lessThanOrEqual": "Software Versions 2.4A",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MiniMed Paradigm 523K/723K pumps",
"vendor": "Medtronic",
"versions": [
{
"lessThanOrEqual": "Software Versions 2.4A",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MiniMed Paradigm Veo 554/754 pumps",
"vendor": "Medtronic",
"versions": [
{
"lessThanOrEqual": "Software Versions 2.6A",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MiniMed Paradigm Veo 554CM/754CM pumps",
"vendor": "Medtronic",
"versions": [
{
"lessThanOrEqual": "Software Versions 2.7A",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Based on earlier work performed by external researchers including Nathanael Paul, Jay Radcliffe, and Barnaby Jack, and from recent work performed by external researchers Billy Rios, Jonathan Butts, and Jesse Young, Medtronic performed additional variant analysis and reported this vulnerability"
}
],
"datePublic": "2019-06-27T06:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMedtronic MiniMed Insulin Pumps\u003c/span\u003e\n\n are designed to communicate using a wireless RF with other devices, such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with adjacent access to one of the affected insulin pump models can inject, replay, modify, and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery.\u003c/p\u003e"
}
],
"value": "Medtronic MiniMed Insulin Pumps\n\n are designed to communicate using a wireless RF with other devices, such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with adjacent access to one of the affected insulin pump models can inject, replay, modify, and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T18:29:15.376Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/minimed-508-paradigm.html"
},
{
"name": "108926",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-19-178-01"
},
{
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/108926"
}
],
"source": {
"advisory": "ICSMA-19-178-01",
"discovery": "INTERNAL"
},
"title": "Medtronic MiniMed 508 and Paradigm Series Insulin Pumps Improper Access Control",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMedtronic recommends U.S. patients who are currently using the affected products talk to their healthcare provider about changing to a newer model insulin pump with increased cybersecurity protection. Patients outside the U.S. will receive a notification letter with instructions based on the country where they live.\u003c/p\u003e\u003cp\u003eMedtronic recommends all patients take the cybersecurity precautions indicated below.\u003c/p\u003e\u003cp\u003eCYBERSECURITY PRECAUTIONS RECOMMENDED FOR ALL PATIENTS:\u003c/p\u003e\u003cul\u003e\u003cli\u003eMaintain tight physical control of the pump and devices connected to the pump\u003c/li\u003e\u003cli\u003eDo not share pump serial number\u003c/li\u003e\u003cli\u003eBe attentive to pump notifications, alarms, and alerts\u003c/li\u003e\u003cli\u003eImmediately cancel any unintended boluses (a single dose of insulin administered all at once)\u003c/li\u003e\u003cli\u003eDo not connect to any third-party devices or use any software not authorized by Medtronic\u003c/li\u003e\u003cli\u003eDisconnect CareLink USB devices from computers when not being used to download data from the pump\u003c/li\u003e\u003cli\u003eMonitor blood glucose levels closely and act as appropriate\u003c/li\u003e\u003cli\u003eGet medical help immediately when experiencing symptoms of severe hypoglycemia or diabetic ketoacidosis, or suspect an insulin pump settings, or insulin delivery have changed unexpectedly\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eMedtronic has released additional patient-focused information, at the following location:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.medtronic.com/security\"\u003ehttps://www.medtronic.com/security\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "Medtronic recommends U.S. patients who are currently using the affected products talk to their healthcare provider about changing to a newer model insulin pump with increased cybersecurity protection. Patients outside the U.S. will receive a notification letter with instructions based on the country where they live.\n\nMedtronic recommends all patients take the cybersecurity precautions indicated below.\n\nCYBERSECURITY PRECAUTIONS RECOMMENDED FOR ALL PATIENTS:\n\n * Maintain tight physical control of the pump and devices connected to the pump\n * Do not share pump serial number\n * Be attentive to pump notifications, alarms, and alerts\n * Immediately cancel any unintended boluses (a single dose of insulin administered all at once)\n * Do not connect to any third-party devices or use any software not authorized by Medtronic\n * Disconnect CareLink USB devices from computers when not being used to download data from the pump\n * Monitor blood glucose levels closely and act as appropriate\n * Get medical help immediately when experiencing symptoms of severe hypoglycemia or diabetic ketoacidosis, or suspect an insulin pump settings, or insulin delivery have changed unexpectedly\n\n\nMedtronic has released additional patient-focused information, at the following location:\n\n https://www.medtronic.com/security"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-10964",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Medtronic MiniMed 508 and Paradigm Series Insulin Pumps",
"version": {
"version_data": [
{
"version_value": "MiniMed 508 pump All versions"
},
{
"version_value": "MiniMed Paradigm 511 pump All versions"
},
{
"version_value": "MiniMed Paradigm 512/712 pump All versions"
},
{
"version_value": "MiniMed Paradigm 712E pump All versions"
},
{
"version_value": "MiniMed Paradigm 515/715 pumps\u2013All versions"
},
{
"version_value": "MiniMed Paradigm 522/722 pump\u2013All versions"
},
{
"version_value": "MiniMed Paradigm 522K/722K pumps\u2013All versions"
},
{
"version_value": "MiniMed Paradigm 523/723 pumps\u2013Software versions 2.4A or lower"
},
{
"version_value": "MiniMed Paradigm 523K/723K pumps versions 2.4A or lower"
},
{
"version_value": "MiniMed Paradigm Veo 554/754 pumps\u2013versions 2.6A or lower"
},
{
"version_value": "MiniMed Paradigm Veo 554CM and 754CM versions 2.7A or lower"
}
]
}
}
]
},
"vendor_name": "Medtronic"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Medtronic MinMed 508 and Medtronic Minimed Paradigm Insulin Pumps, Versions, MiniMed 508 pump \u2013 All versions, MiniMed Paradigm 511 pump \u2013 All versions, MiniMed Paradigm 512/712 pumps \u2013 All versions, MiniMed Paradigm 712E pump\u2013All versions, MiniMed Paradigm 515/715 pumps\u2013All versions, MiniMed Paradigm 522/722 pumps \u2013 All versions,MiniMed Paradigm 522K/722K pumps \u2013 All versions, MiniMed Paradigm 523/723 pumps \u2013 Software versions 2.4A or lower, MiniMed Paradigm 523K/723K pumps \u2013 Software, versions 2.4A or lower, MiniMed Paradigm Veo 554/754 pumps \u2013 Software versions 2.6A or lower, MiniMed Paradigm Veo 554CM and 754CM models only \u2013 Software versions 2.7A or lower, the affected insulin pumps are designed to communicate using a wireless RF with other devices, such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with adjacent access to one of the affected insulin pump models can inject, replay, modify, and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsma-19-178-01",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsma-19-178-01"
},
{
"name": "108926",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108926"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-10964",
"datePublished": "2019-06-28T20:58:07",
"dateReserved": "2019-04-08T00:00:00",
"dateUpdated": "2025-05-22T18:29:15.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10964 (GCVE-0-2019-10964)
Vulnerability from nvd – Published: 2019-06-28 20:58 – Updated: 2025-05-22 18:29
VLAI?
Summary
Medtronic MiniMed Insulin Pumps
are designed to communicate using a wireless RF with other devices, such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with adjacent access to one of the affected insulin pump models can inject, replay, modify, and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery.
Severity ?
7.1 (High)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Medtronic | MiniMed 508 pump |
Affected:
All versions
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Based on earlier work performed by external researchers including Nathanael Paul, Jay Radcliffe, and Barnaby Jack, and from recent work performed by external researchers Billy Rios, Jonathan Butts, and Jesse Young, Medtronic performed additional variant analysis and reported this vulnerability
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:40:15.617Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsma-19-178-01"
},
{
"name": "108926",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108926"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MiniMed 508 pump",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MiniMed Paradigm 511 pump",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MiniMed Paradigm 512/712 pumps",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MiniMed Paradigm 712E pump",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MiniMed Paradigm 515/715 pumps",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MiniMed Paradigm 522/722 pumps",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MiniMed Paradigm 522K/722K pumps",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MiniMed Paradigm 523/723 pumps",
"vendor": "Medtronic",
"versions": [
{
"lessThanOrEqual": "Software Versions 2.4A",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MiniMed Paradigm 523K/723K pumps",
"vendor": "Medtronic",
"versions": [
{
"lessThanOrEqual": "Software Versions 2.4A",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MiniMed Paradigm Veo 554/754 pumps",
"vendor": "Medtronic",
"versions": [
{
"lessThanOrEqual": "Software Versions 2.6A",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MiniMed Paradigm Veo 554CM/754CM pumps",
"vendor": "Medtronic",
"versions": [
{
"lessThanOrEqual": "Software Versions 2.7A",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Based on earlier work performed by external researchers including Nathanael Paul, Jay Radcliffe, and Barnaby Jack, and from recent work performed by external researchers Billy Rios, Jonathan Butts, and Jesse Young, Medtronic performed additional variant analysis and reported this vulnerability"
}
],
"datePublic": "2019-06-27T06:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMedtronic MiniMed Insulin Pumps\u003c/span\u003e\n\n are designed to communicate using a wireless RF with other devices, such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with adjacent access to one of the affected insulin pump models can inject, replay, modify, and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery.\u003c/p\u003e"
}
],
"value": "Medtronic MiniMed Insulin Pumps\n\n are designed to communicate using a wireless RF with other devices, such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with adjacent access to one of the affected insulin pump models can inject, replay, modify, and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T18:29:15.376Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/minimed-508-paradigm.html"
},
{
"name": "108926",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-19-178-01"
},
{
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/108926"
}
],
"source": {
"advisory": "ICSMA-19-178-01",
"discovery": "INTERNAL"
},
"title": "Medtronic MiniMed 508 and Paradigm Series Insulin Pumps Improper Access Control",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMedtronic recommends U.S. patients who are currently using the affected products talk to their healthcare provider about changing to a newer model insulin pump with increased cybersecurity protection. Patients outside the U.S. will receive a notification letter with instructions based on the country where they live.\u003c/p\u003e\u003cp\u003eMedtronic recommends all patients take the cybersecurity precautions indicated below.\u003c/p\u003e\u003cp\u003eCYBERSECURITY PRECAUTIONS RECOMMENDED FOR ALL PATIENTS:\u003c/p\u003e\u003cul\u003e\u003cli\u003eMaintain tight physical control of the pump and devices connected to the pump\u003c/li\u003e\u003cli\u003eDo not share pump serial number\u003c/li\u003e\u003cli\u003eBe attentive to pump notifications, alarms, and alerts\u003c/li\u003e\u003cli\u003eImmediately cancel any unintended boluses (a single dose of insulin administered all at once)\u003c/li\u003e\u003cli\u003eDo not connect to any third-party devices or use any software not authorized by Medtronic\u003c/li\u003e\u003cli\u003eDisconnect CareLink USB devices from computers when not being used to download data from the pump\u003c/li\u003e\u003cli\u003eMonitor blood glucose levels closely and act as appropriate\u003c/li\u003e\u003cli\u003eGet medical help immediately when experiencing symptoms of severe hypoglycemia or diabetic ketoacidosis, or suspect an insulin pump settings, or insulin delivery have changed unexpectedly\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eMedtronic has released additional patient-focused information, at the following location:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.medtronic.com/security\"\u003ehttps://www.medtronic.com/security\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "Medtronic recommends U.S. patients who are currently using the affected products talk to their healthcare provider about changing to a newer model insulin pump with increased cybersecurity protection. Patients outside the U.S. will receive a notification letter with instructions based on the country where they live.\n\nMedtronic recommends all patients take the cybersecurity precautions indicated below.\n\nCYBERSECURITY PRECAUTIONS RECOMMENDED FOR ALL PATIENTS:\n\n * Maintain tight physical control of the pump and devices connected to the pump\n * Do not share pump serial number\n * Be attentive to pump notifications, alarms, and alerts\n * Immediately cancel any unintended boluses (a single dose of insulin administered all at once)\n * Do not connect to any third-party devices or use any software not authorized by Medtronic\n * Disconnect CareLink USB devices from computers when not being used to download data from the pump\n * Monitor blood glucose levels closely and act as appropriate\n * Get medical help immediately when experiencing symptoms of severe hypoglycemia or diabetic ketoacidosis, or suspect an insulin pump settings, or insulin delivery have changed unexpectedly\n\n\nMedtronic has released additional patient-focused information, at the following location:\n\n https://www.medtronic.com/security"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-10964",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Medtronic MiniMed 508 and Paradigm Series Insulin Pumps",
"version": {
"version_data": [
{
"version_value": "MiniMed 508 pump All versions"
},
{
"version_value": "MiniMed Paradigm 511 pump All versions"
},
{
"version_value": "MiniMed Paradigm 512/712 pump All versions"
},
{
"version_value": "MiniMed Paradigm 712E pump All versions"
},
{
"version_value": "MiniMed Paradigm 515/715 pumps\u2013All versions"
},
{
"version_value": "MiniMed Paradigm 522/722 pump\u2013All versions"
},
{
"version_value": "MiniMed Paradigm 522K/722K pumps\u2013All versions"
},
{
"version_value": "MiniMed Paradigm 523/723 pumps\u2013Software versions 2.4A or lower"
},
{
"version_value": "MiniMed Paradigm 523K/723K pumps versions 2.4A or lower"
},
{
"version_value": "MiniMed Paradigm Veo 554/754 pumps\u2013versions 2.6A or lower"
},
{
"version_value": "MiniMed Paradigm Veo 554CM and 754CM versions 2.7A or lower"
}
]
}
}
]
},
"vendor_name": "Medtronic"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Medtronic MinMed 508 and Medtronic Minimed Paradigm Insulin Pumps, Versions, MiniMed 508 pump \u2013 All versions, MiniMed Paradigm 511 pump \u2013 All versions, MiniMed Paradigm 512/712 pumps \u2013 All versions, MiniMed Paradigm 712E pump\u2013All versions, MiniMed Paradigm 515/715 pumps\u2013All versions, MiniMed Paradigm 522/722 pumps \u2013 All versions,MiniMed Paradigm 522K/722K pumps \u2013 All versions, MiniMed Paradigm 523/723 pumps \u2013 Software versions 2.4A or lower, MiniMed Paradigm 523K/723K pumps \u2013 Software, versions 2.4A or lower, MiniMed Paradigm Veo 554/754 pumps \u2013 Software versions 2.6A or lower, MiniMed Paradigm Veo 554CM and 754CM models only \u2013 Software versions 2.7A or lower, the affected insulin pumps are designed to communicate using a wireless RF with other devices, such as blood glucose meters, glucose sensor transmitters, and CareLink USB devices. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with adjacent access to one of the affected insulin pump models can inject, replay, modify, and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsma-19-178-01",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsma-19-178-01"
},
{
"name": "108926",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108926"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-10964",
"datePublished": "2019-06-28T20:58:07",
"dateReserved": "2019-04-08T00:00:00",
"dateUpdated": "2025-05-22T18:29:15.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}