"Medtronic Fixes Critical Flaw in Cardiac Device Data System"

Medtronic's heart monitor data management system contains a vulnerability of critical severity that, if exploited, could lead to Remote Code Execution (RCE) or a Denial-of-Service (DoS) condition. The deserialization of untrusted data flaw, tracked as CVE-2023-31222, for which patches are now available, exists on the Paceart Optima system. The software application collects, stores, and retrieves patient cardiac device data from remote heart monitors. It runs on healthcare organizations' Windows servers. The Paceart Messaging Service, which allows healthcare delivery organizations to send fax, email, and pager messages within the Paceart Optima system, is particularly vulnerable. The system's Paceart Messaging Service is optional, as opposed to being configured by default, but when it is enabled, the vulnerability is remotely exploitable and has a low attack complexity. The US Cybersecurity and Infrastructure Security Agency (CISA) warned that RCE could lead to the deletion, theft, or modification of the Paceart Optima system's cardiac device data, or the system's use for further network penetration. A DoS attack could render the Paceart Optima system unresponsive. This article continues to discuss the critical-severity vulnerability found in a heart monitor data management system.

Decipher reports "Medtronic Fixes Critical Flaw in Cardiac Device Data System"