CVE-2011-3386
CVE-2011-3386 is a medium-severity vulnerability in Medtronic Paradigm Wireless Insulin Pump with a CVSS 2.0 base score of 4.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- Severity: Medium (CVSS 2.0 base score 4.0)
- EPSS exploit prediction: 1% (70th percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Medtronic Paradigm Wireless Insulin Pump
- Published:
- Last modified:
Description
Unspecified vulnerability in Medtronic Paradigm wireless insulin pump 512, 522, 712, and 722 allows remote attackers to modify the delivery of an insulin bolus dose and cause a denial of service (adverse human health effects) via unspecified vectors involving wireless communications and knowledge of the device's serial number, as demonstrated by Jerome Radcliffe at the Black Hat USA conference in August 2011. NOTE: the vendor has disputed the severity of this issue, saying "we believe the risk of deliberate, malicious, or unauthorized manipulation of medical devices is extremely low... we strongly believe it would be extremely difficult for a third-party to wirelessly tamper with your insulin pump... you would be able to detect tones on the insulin pump that weren't intentionally programmed and could intervene accordingly."
Frequently asked questions
- What is CVE-2011-3386?
- Unspecified vulnerability in Medtronic Paradigm wireless insulin pump 512, 522, 712, and 722 allows remote attackers to modify the delivery of an insulin bolus dose and cause a denial of service (adverse human health effects) via unspecified vectors involving wireless communications and knowledge of the device's serial number, as demonstrated by Jerome Radcliffe at the Black Hat USA conference in August 2011. NOTE: the vendor has disputed the severity of this issue, saying "we believe the risk of deliberate, malicious, or unauthorized manipulation of medical devices is extremely low... we strongly believe it would be extremely difficult for a third-party to wirelessly tamper with your insulin pump... you would be able to detect tones on the insulin pump that weren't intentionally programmed and could intervene accordingly."
- How severe is CVE-2011-3386?
- CVE-2011-3386 has a CVSS 2.0 base score of 4.0, rated medium severity.
- Is CVE-2011-3386 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (70th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2011-3386?
- CVE-2011-3386 primarily affects Medtronic Paradigm Wireless Insulin Pump. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2011-3386?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2011-3386 published?
- CVE-2011-3386 was published on 2011-09-02 and last updated on 2026-06-16.
References
- http://sixuntilme.com/blog2/2011/08/hacked_jay_radcliffe_insulin_p.html
- http://www.darkreading.com/security/vulnerabilities/231300312/getting-root-on-the-human-body.html
- http://www.foxnews.com/scitech/2011/08/04/insulin-pumps-vulnerable-to-hacking/?test=faces
- http://www.hanselman.com/blog/HackersCanKillDiabeticsWithInsulinPumpsFromAHalfMileAwayUmNoFactsVsJournalisticFearMongering.aspx
- http://www.informationweek.com/news/security/vulnerabilities/231600265
- http://www.loop-blog.com/Blog_Full_Post?id=a09C000000Dbz3JIAR
- http://www.scmagazineus.com/black-hat-insulin-pumps-can-be-hacked/article/209106/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/69643
Affected products (4)
- cpe:2.3:h:medtronic:paradigm_wireless_insulin_pump:512:*:*:*:*:*:*:*
- cpe:2.3:h:medtronic:paradigm_wireless_insulin_pump:522:*:*:*:*:*:*:*
- cpe:2.3:h:medtronic:paradigm_wireless_insulin_pump:712:*:*:*:*:*:*:*
- cpe:2.3:h:medtronic:paradigm_wireless_insulin_pump:722:*:*:*:*:*:*:*