CVE-2025-12995

High

Published: 04 December 2025

Published

04 December 2025

Modified

22 December 2025

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0007 22.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-12995 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Medtronic Carelink Network. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 22.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-6 (Authentication Feedback).

Threat & Defense at a Glance

What attackers do: exploitation maps to Brute Force (T1110) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-7 Unsuccessful Logon Attempts good match

prevent

Directly enforces limits on consecutive invalid logon attempts and account lockouts, preventing brute force attacks on the API authentication endpoint.

IA-6 Authentication Feedback partial match

prevent

Obscures feedback during authentication to prevent attackers from distinguishing valid versus invalid credentials, hindering brute force password determination.

SC-5 Denial-of-service Protection partial match

prevent

Provides denial-of-service protections such as rate limiting that mitigate resource exhaustion from excessive authentication attempts on the remote API endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.

attack.mitre.org →

T1110.001 Password Guessing Credential Access

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability lacks restrictions on excessive authentication attempts, enabling brute force password guessing (T1110, T1110.001) on a public-facing API endpoint (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Medtronic CareLink Network allows an unauthenticated remote attacker to perform a brute force attack on an API endpoint that could be used to determine a valid password under certain circumstances. This issue affects CareLink Network: before December 4, 2025.

Deeper analysisAI

CVE-2025-12995 is a vulnerability in the Medtronic CareLink Network that allows an unauthenticated remote attacker to perform a brute force attack on an API endpoint, potentially enabling the determination of a valid password under certain circumstances. This issue affects CareLink Network versions prior to December 4, 2025. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-307: Improper Restriction of Excessive Authentication Attempts.

An unauthenticated attacker with network access can exploit this vulnerability remotely without requiring privileges or user interaction, though the attack involves high complexity. Successful brute forcing of the API endpoint could result in high impacts to confidentiality, integrity, and availability, such as unauthorized access to the system via discovered credentials.

Medtronic has published a security bulletin detailing the CareLink Network vulnerabilities, including this issue, with guidance on mitigation at https://www.medtronic.com/en-us/e/product-security/security-bulletins/carelink-network-vulnerabilities.html.