CVE-2019-6538

Q: What is the severity of CVE-2019-6538?

CVE-2019-6538 has a CVSS score of 9.3 (CRITICAL). This vulnerability allows attackers with short-range physical access to medical devices to read and write memory values to implanted cardiac devices without authentication. It affects Medtronic cardiac devices using the Conexus telemetry protocol when their radio is enabled. Patients with affected implanted devices are at risk.

9.3 CRITICAL

Authentication Bypass

📋 TL;DR

This vulnerability allows attackers with short-range physical access to medical devices to read and write memory values to implanted cardiac devices without authentication. It affects Medtronic cardiac devices using the Conexus telemetry protocol when their radio is enabled. Patients with affected implanted devices are at risk.

💻 Affected Systems

Products:

Medtronic MyCareLink Monitor
CareLink Monitor
CareLink 2090 Programmer
Amplia CRT-D
Claria CRT-D
Compia CRT-D
Concerto CRT-D
Concerto II CRT-D
Consulta CRT-D
Evera ICD
Maximo II CRT-D and ICD
Mirro ICD
Nayamed ND ICD
Primo ICD
Protecta ICD and CRT-D
Secura ICD
Virtuoso ICD
Virtuoso II ICD
Visia AF ICD
Viva CRT-D

Versions: Specific versions: 24950, 24952, 2490C

Operating Systems: Embedded medical device firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when device radio is turned on. Implanted devices cannot be patched; only external monitors/programmers can be updated.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could modify device memory to deliver inappropriate shocks, disable therapy, or drain battery, potentially causing patient harm or death.

🟠

Likely Case

Unauthorized reading of sensitive patient data or demonstration of capability to interfere with device operation.

🟢

If Mitigated

With radio disabled and physical security controls, risk is significantly reduced but not eliminated for devices that must communicate.

🌐 Internet-Facing: LOW - Requires adjacent short-range access, not internet-accessible.

🏢 Internal Only: HIGH - Physical proximity to patient or device is sufficient for exploitation in healthcare settings.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires specialized RF equipment and knowledge of medical device protocols, but no authentication is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified as version number - requires device replacement or monitor/programmer updates per Medtronic guidance

Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01

Restart Required: Yes

Instructions:

1. Contact Medtronic for affected device assessment. 2. For external devices: apply firmware updates if available. 3. For implanted devices: consult physician about potential replacement if high risk. 4. Disable telemetry radio when not in use.

🔧 Temporary Workarounds

Disable Telemetry Radio

all

Turn off device radio functionality when not actively communicating with medical provider

Device-specific procedure via device interface

Physical Security Controls

all

Implement access controls and monitoring in areas where devices are used or patients are present

🧯 If You Can't Patch

Keep device radio disabled except during medically necessary communications
Implement strict physical access controls and monitoring in healthcare facilities

🔍 How to Verify

Check if Vulnerable:

Check device model against affected list and confirm telemetry protocol is Conexus

Check Version:

Device-specific interface commands or Medtronic diagnostic tools

Verify Fix Applied:

Consult Medtronic for device-specific verification; implanted devices may require replacement

📡 Detection & Monitoring

Log Indicators:

Unauthorized telemetry sessions
Unexpected device memory access patterns

Network Indicators:

RF signals in medical telemetry bands from unauthorized locations

SIEM Query:

Not applicable - primarily physical/radio frequency detection required

📊 Metadata

CVE ID: CVE-2019-6538

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

CWE: CWE-284

Published: March 25, 2019

Last Updated: May 22, 2025

🔗 References

http://www.securityfocus.com/bid/107544 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01 Mitigation,Third Party Advisory,US Government Resource
http://www.securityfocus.com/bid/107544 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01 Mitigation,Third Party Advisory,US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Amplia Crt D Firmware by Medtronic

Carelink 2090 Firmware by Medtronic

Carelink Monitor Firmware by Medtronic

Claria Crt D Firmware by Medtronic

Compia Crt D Firmware by Medtronic

Concerto Crt D Firmware by Medtronic

Concerto Ii Crt D Firmware by Medtronic

Consulta Crt D Firmware by Medtronic

Evera Icd Firmware by Medtronic

Maximo Ii Crt D And Lcd Firmware by Medtronic

Mirro Icd Firmware by Medtronic

Mycarelink Monitor Firmware by Medtronic

Mycarelink Monitor Firmware by Medtronic

Nayamed Nd Icd Firmware by Medtronic

Primo Icd Firmware by Medtronic

Protecta Icd And Crt D Firmware by Medtronic

Secura Icd Firmware by Medtronic

Virtuoso Icd Firmware by Medtronic

Virtuoso Ii Icd Firmware by Medtronic

Visia Af Icd Firmware by Medtronic

Viva Crt D Firmware by Medtronic