The Conexus telemetry protocol utilized within Medtronic MyCareLink Monitor versions 24950 and 24952, CareLink Monitor version 2490C, CareLink 2090 Programmer, Amplia CRT-D, Claria CRT-D, Compia CRT-D, Concerto CRT-D, Concerto II CRT-D, Consulta CRT-D, Evera ICD, Maximo II CRT-D and ICD, Mirro ICD, Nayamed ND ICD, Primo ICD, Protecta ICD and CRT-D, Secura ICD, Virtuoso ICD, Virtuoso II ICD, Visia AF ICD, and Viva CRT-D does not implement authentication or authorization. An attacker with adjacent short-range access to an affected product, in situations where the product’s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device.
Conclusion & alert: CVE-2019-6538 is rated Moderate Risk (56.4/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 0.84%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.22% | 0.84% | +0.62% |
| 2 | 2025-11-21 | 0.28% | 0.22% | -0.06% |
| 3 | 2025-11-18 | — | 0.28% | — |
Full EPSS history (13 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.3 | 3.1 | CRITICAL |
|
2.8 | 5.8 | [email protected] |
| 6.5 | 3.1 | MEDIUM |
|
2.8 | 3.6 | [email protected] |
| 3.3 | 2.0 | LOW |
|
6.5 | 2.9 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| medtronic | mycarelink_monitor_firmware | 24950 | cpe:2.3:o:medtronic:mycarelink_monitor_firmware:24950:*:*:*:*:*:*:* |
| medtronic | mycarelink_monitor_firmware | 24952 | cpe:2.3:o:medtronic:mycarelink_monitor_firmware:24952:*:*:*:*:*:*:* |
| medtronic | carelink_monitor_firmware | 2490c | cpe:2.3:o:medtronic:carelink_monitor_firmware:2490c:*:*:*:*:*:*:* |
| medtronic | carelink_2090_firmware | — | cpe:2.3:o:medtronic:carelink_2090_firmware:-:*:*:*:*:*:*:* |
| medtronic | amplia_crt-d_firmware | — | cpe:2.3:o:medtronic:amplia_crt-d_firmware:-:*:*:*:*:*:*:* |
| medtronic | claria_crt-d_firmware | — | cpe:2.3:o:medtronic:claria_crt-d_firmware:-:*:*:*:*:*:*:* |
| medtronic | compia_crt-d_firmware | — | cpe:2.3:o:medtronic:compia_crt-d_firmware:-:*:*:*:*:*:*:* |
| medtronic | concerto_crt-d_firmware | — | cpe:2.3:o:medtronic:concerto_crt-d_firmware:-:*:*:*:*:*:*:* |
| medtronic | concerto_ii_crt-d_firmware | — | cpe:2.3:o:medtronic:concerto_ii_crt-d_firmware:-:*:*:*:*:*:*:* |
| medtronic | consulta_crt-d_firmware | — | cpe:2.3:o:medtronic:consulta_crt-d_firmware:-:*:*:*:*:*:*:* |
| medtronic | evera_icd_firmware | — | cpe:2.3:o:medtronic:evera_icd_firmware:-:*:*:*:*:*:*:* |
| medtronic | maximo_ii_crt-d_and_lcd_firmware | — | cpe:2.3:o:medtronic:maximo_ii_crt-d_and_lcd_firmware:-:*:*:*:*:*:*:* |
| medtronic | mirro_icd_firmware | — | cpe:2.3:o:medtronic:mirro_icd_firmware:-:*:*:*:*:*:*:* |
| medtronic | nayamed_nd_icd_firmware | — | cpe:2.3:o:medtronic:nayamed_nd_icd_firmware:-:*:*:*:*:*:*:* |
| medtronic | primo_icd_firmware | — | cpe:2.3:o:medtronic:primo_icd_firmware:-:*:*:*:*:*:*:* |
| medtronic | protecta_icd_and_crt-d_firmware | — | cpe:2.3:o:medtronic:protecta_icd_and_crt-d_firmware:-:*:*:*:*:*:*:* |
| medtronic | secura_icd_firmware | — | cpe:2.3:o:medtronic:secura_icd_firmware:-:*:*:*:*:*:*:* |
| medtronic | virtuoso_icd_firmware | — | cpe:2.3:o:medtronic:virtuoso_icd_firmware:-:*:*:*:*:*:*:* |
| medtronic | virtuoso_ii_icd_firmware | — | cpe:2.3:o:medtronic:virtuoso_ii_icd_firmware:-:*:*:*:*:*:*:* |
| medtronic | visia_af_icd_firmware | — | cpe:2.3:o:medtronic:visia_af_icd_firmware:-:*:*:*:*:*:*:* |
| medtronic | viva_crt-d_firmware | — | cpe:2.3:o:medtronic:viva_crt-d_firmware:-:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/107544 | Third Party Advisory VDB Entry |
| https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01 | Mitigation Third Party Advisory US Government Resource |