Cyber Resilience

CVE-2025-12995

High

Published: 04 December 2025

Published
04 December 2025
Modified
22 December 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0009 25.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-12995 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Medtronic Carelink Network. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 25.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-6 (Authentication Feedback).

Deeper analysis

CVE-2025-12995 is a vulnerability in the Medtronic CareLink Network that allows an unauthenticated remote attacker to perform a brute force attack on an API endpoint, potentially enabling the determination of a valid password under certain circumstances. This issue affects CareLink Network versions prior to December 4, 2025. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-307: Improper Restriction of Excessive Authentication Attempts.

An unauthenticated attacker with network access can exploit this vulnerability remotely without requiring privileges or user interaction, though the attack involves high complexity. Successful brute forcing of the API endpoint could result in high impacts to confidentiality, integrity, and availability, such as unauthorized access to the system via discovered credentials.

Medtronic has published a security bulletin detailing the CareLink Network vulnerabilities, including this issue, with guidance on mitigation at https://www.medtronic.com/en-us/e/product-security/security-bulletins/carelink-network-vulnerabilities.html.

EU & UK References

Vulnerability details

Medtronic CareLink Network allows an unauthenticated remote attacker to perform a brute force attack on an API endpoint that could be used to determine a valid password under certain circumstances. This issue affects CareLink Network: before December 4, 2025.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability lacks restrictions on excessive authentication attempts, enabling brute force password guessing (T1110, T1110.001) on a public-facing API endpoint (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25595Shared CWE-307
CVE-2026-36959Shared CWE-307
CVE-2026-32295Shared CWE-307
CVE-2025-67853Shared CWE-307
CVE-2026-27981Shared CWE-307
CVE-2026-33640Shared CWE-307
CVE-2024-51476Shared CWE-307
CVE-2025-64310Shared CWE-307
CVE-2023-54347Shared CWE-307
CVE-2026-8760Shared CWE-307

Affected Assets

medtronic
carelink network
≤ 2025-12-04

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces limits on consecutive invalid logon attempts and account lockouts, preventing brute force attacks on the API authentication endpoint.

prevent

Obscures feedback during authentication to prevent attackers from distinguishing valid versus invalid credentials, hindering brute force password determination.

prevent

Provides denial-of-service protections such as rate limiting that mitigate resource exhaustion from excessive authentication attempts on the remote API endpoint.

References