Vulnerability identifier: #VU67535

Vulnerability risk: Medium

CVSSv3.1: 4.4 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2022-32537

CWE-ID: CWE-693

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
MiniMed 620G
Hardware solutions / Medical equipment
MiniMed 630G
Hardware solutions / Medical equipment
MiniMed 640G
Hardware solutions / Medical equipment
MiniMed 670G
Hardware solutions / Medical equipment

Vendor: Medtronic

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient implementation of security measures. A remote user on the local network can learn aspects of the communication protocol used to pair system components while the pump is being paired with other system components.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

MiniMed 620G: MMT-1710

MiniMed 630G: MMT-1715 - MMT-1755

MiniMed 640G: MMT-1711 - MMT-1752

MiniMed 670G: MMT-1740 - MMT-1782

---

External links
http://ics-cert.us-cert.gov/advisories/icsma-22-263-01

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.