CVE-2025-12995
Published: 04 December 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-12995 is a vulnerability in the Medtronic CareLink Network that allows an unauthenticated remote attacker to perform a brute force attack on an API endpoint, potentially enabling the determination of a valid password under certain circumstances. This issue affects CareLink Network versions prior to December 4, 2025. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-307: Improper Restriction of Excessive Authentication Attempts.
An unauthenticated attacker with network access can exploit this vulnerability remotely without requiring privileges or user interaction, though the attack involves high complexity. Successful brute forcing of the API endpoint could result in high impacts to confidentiality, integrity, and availability, such as unauthorized access to the system via discovered credentials.
Medtronic has published a security bulletin detailing the CareLink Network vulnerabilities, including this issue, with guidance on mitigation at https://www.medtronic.com/en-us/e/product-security/security-bulletins/carelink-network-vulnerabilities.html.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability lacks restrictions on excessive authentication attempts, enabling brute force password guessing (T1110, T1110.001) on a public-facing API endpoint (T1190).