Medtronic Discloses Cybersecurity Vulnerability in Paceart Optima System

June 30, 2023 - Medtronic notified the Cybersecurity and Infrastructure Security Agency (CISA) of a cybersecurity vulnerability (CVE-2023-31222) found in its Paceart Optima System. If exploited, threat actors may be able to execute code remotely or enable a denial-of-service (DoS) condition.

The Paceart Optima System is a workflow solution that manages patients’ cardiac device data, Medtronic’s website states. The system has the ability to collect, store, and retrieve data from all major cardiac device manufacturers.

The vulnerability has been categorized as critical, with a CVSS score of 9.8. Specifically, the vulnerability impacts Paceart Optima versions 1.11 and prior.

“If a healthcare delivery organization has enabled the optional Paceart Messaging Service in the Paceart Optima system, an unauthorized user could exploit this vulnerability to perform remote code execution and/or denial-of-service (DoS) attacks by sending specially crafted messages to the Paceart Optima system,” CISA noted.

“Remote code execution could result in the deletion, theft, or modification of Paceart Optima system’s cardiac device data, or use of the Paceart Optima system for further network penetration. A DoS attack could cause the Paceart Optima system to slow or be unresponsive.”

Medtronic recommended updating the Paceart Optima System to v1.12 by contacting Medtronic to schedule the update. For immediate mitigations, Medtronic provided steps for manually disabling the Paceart Messaging Service on the Application Server and manually disabling message queuing on the Application Server.

“As long as the Paceart Messaging Service remains disabled, the vulnerability will remain mitigated,” CISA added.

CISA also encouraged organizations to isolate remote devices behind firewalls and perform proper risk assessments prior to deploying defensive measures.