Microsoft Remote Desktop Protocol (RDP) Vulnerability SECURITY BULLETIN

May 28, 2019

VULNERABILITY SUMMARY

On May 14, 2019, Microsoft announced a cybersecurity vulnerability regarding Remote Code Execution and involving the Remote Desktop Protocol (RDP). This vulnerability (CVE‑2019‑0708) could allow an unauthorized individual to access and potentially change the settings of certain versions of the Windows operating system. Medical devices which leverage the Windows operating system may also be impacted.

To date, no cyberattack, data breach, or patient harm involving a Medtronic product has been observed or associated with this vulnerability.

MITIGATIONS

Medtronic has taken all available precautions, as noted by Microsoft, to ensure our infrastructure, technical systems and products are patched and secured. Our technical teams continue to monitor and analyze the situation to better understand any potential impact to our products, as well as our enterprise environment.

To date, we have confirmed there is no impact to Medtronic products. Customers using Medtronic software should follow the recommended patching process. Medtronic will continue to follow established coordinated disclosure processes for any significant security vulnerabilities associated with our products.

Our enterprise and product security teams are closely monitoring this evolving situation, and we will continue to take appropriate actions as circumstances dictate, including patching and additional mitigations that may become available. At Medtronic, we take cybersecurity matters seriously and have teams continuously engaged in these matters.

Additional Resources

The National Cybersecurity Communications and Integrations Center has issued an alert with more information on this issue and potential mitigations.

Customers needing additional information should work with their designated Medtronic service representative.