Medtronic Micro Clinician App and InterStim X App Vulnerabilities

Medtronic Micro Clinician App (A51200) and InterStim X Clinician App (A51300) contain a vulnerability that could cause the applications' custom passwords to be reset to default

Threat ID:: CC-4275
Threat Severity:: Low
Published:: 3 March 2023 2:57 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Medtronic Micro Clinician App (A51200) and InterStim X Clinician App (A51300) contain a vulnerability that could cause the applications' custom passwords to be reset to default

Affected platforms

The following platforms are known to be affected:

Versions: InterStim X Clinician App (A51300)

Medtronic InterStim X system

Versions: Micro Clinician App (A51200)

Medtronic InterStim Micro system

Threat details

Introduction

Medtronic has identified an unverified password change vulnerability in their Medtronic Clinician App (A51200) and InterStim X Clinician App (A51300), which are used by patients and clinicians to control implanted pelvic neurostimulator devices.

Successful exploitation of this vulnerability could cause the clinician applications' custom passwords to be reset to default, resulting in unauthorised control of the applications. In order to exploit this vulnerability, an attacker would require direct physical access to the assigned Smart Programmer device and changes cannot be made beyond established therapy parameters.

Threat updates

Date	Update
10 Mar 2023	Updated remediation advice Updated advice to reflect current remediation

Remediation advice

Affected organisations are encouraged to review the CISA Medical Advisory ICSMA-23-061-01 and the Medtronic Security Bulletin for more information.

The following mitigations have been provided by Medtronic:

An app update is available as of February 23, 2023 that will fix the vulnerability.
Users should refer to the Medtronic Security Bulletin for the correct Medtronic Support contact for help updating the app.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2023-25931

Medtronic identified that the Pelvic Health clinician apps, which are installed on the Smart Programmer mobile device, have a password vulnerability that requires a security update to fix. Not updating could potentially result in unauthorized control of the clinician therapy application, which has greater control over therapy parameters than the patient app. Changes still cannot be made outside of the established therapy parameters of the programmer. For unauthorized access to occur, an individual would need physical access to the Smart Programmer.

Last edited: 10 March 2023 11:27 am