Medtronic Paceart Optima System - 20230630004¶
Overview¶
If a healthcare delivery organization has enabled the optional Paceart Messaging Service in the Paceart Optima system, an unauthorized user could exploit this vulnerability to perform remote code execution and/or denial-of-service (DoS) attacks by sending specially crafted messages to the Paceart Optima system. Remote code execution could result in the deletion, theft, or modification of Paceart Optima system’s cardiac device data, or use of the Paceart Optima system for further network penetration. A DoS attack could cause the Paceart Optima system to slow or be unresponsive.
What is the vulnerability?¶
CVE-2023-31222 - CVSS v3 Base Score: 9.8
What is vulnerable?¶
The vulnerability exists in the following products:
- Medtronic's Paceart Optima versions 1.11
What has been observed?¶
CISA added this vulnerabilty in their ICS Medical Advisory catalog on June 29 2023. There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
Recommendation¶
The WA SOC recommends administrators apply mitigation controls as per vendor instructions to all affected devices or patching within expected timeframe of one month (refer Patch Management):