CPATH-2026-0037 · MEDICAL IOT

Medtronic MiniMed / NGP 600 series insulin pumps - RF pairing protocol allows bolus/delivery manipulation

Provisional. Candidate score (CFSE Consequence Paths 1.0-candidate); pending independent review. Treat as a structured second opinion, not a final rating.

Paths CRITICAL Dominant consequence DEVICE_CONTROL_SAFETY Physical/safety · Evidence EV:2 (report-backed) · Liveness PARTIALLY_MITIGATED

CPATH ID	`CPATH-2026-0037`
CVE(s)	CVE-2022-32537
Device / class	Medtronic MiniMed / NGP 600 series insulin pumps - RF pairing protocol allows bolus/delivery manipulation (MEDICAL IOT)
Vendor	Medtronic
Dominant consequence	`DEVICE_CONTROL_SAFETY` (Physical/safety)
Paths verdict	CRITICAL (worst of 1 path)
Published baseline	v3.1 4.8 MEDIUM `CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N` · security via NVD / NVD
Baseline relationship	▼ Paths higher
Consequence dimension(s)	#1 (what these mean)
Scored	2026-06-03 · CFSE Consequence Paths v1.0-candidate · validation: provisional
Baseline confidence	high

Consequence Paths

Paths Assessment

Physical/safety

`DEVICE_CONTROL_SAFETY`

CRITICAL

Reachability RE:2

Complexity EC:1

Consequence DEVICE_CONTROL_SAFETY

Scale SR:1 / SX:1

Verdict CRITICAL

Reachability 2

Complexity 1

Exposure 1

Physical / safety 4

Data / perception 0

Authority 3

Chainability 2

Reuse scale 1

Execution scale 1

Recovery 2

Evidence EV:2 · report-backed

Liveness PARTIALLY_MITIGATED

Vector

CPATH:1.0-candidate/TT:DEVICE_CONTROL_SAFETY/RE:2/EC:1/EX:1/PH:4/DP:0/AT:3/CH:2/SR:1/SX:1/OR:2/EV:2/LS:PARTIALLY_MITIGATED

Assessment

CFSE Consequence Paths assesses Medtronic MiniMed / NGP 600 series insulin pumps - RF pairing protocol allows bolus/delivery manipulation at CRITICAL — the worst of 1 risk path (safety). The dominant consequence is influence over a safety-relevant actuation.

Vulnerability

Medtronic MiniMed / NGP 600 series insulin pumps - RF pairing protocol allows bolus/delivery manipulation.

CFSE Consequence Paths analysis

The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.

`DEVICE_CONTROL_SAFETY` → CRITICAL

CPATH:1.0-candidate/TT:DEVICE_CONTROL_SAFETY/RE:2/EC:1/EX:1/PH:4/DP:0/AT:3/CH:2/SR:1/SX:1/OR:2/EV:2/LS:PARTIALLY_MITIGATED

Exposure EX=1 (execution complexity-bound) · bands PH=CRITICAL · DP=MONITOR · AT=HIGH → base CRITICAL · caps low-exposure cap → assessed CRITICAL.

Adjacent RF only (AV:A), attacker must be in wireless proximity during component pairing -> RE:2 (BLE/RF/local-net/proximity). Execution requires high skill, specialized equipment, proximity, and catching the specific pairing event (AC:H, fragile/timing-dependent) -> EC:1. By impersonating a trusted paired component the attacker injects/modifies delivery commands (service/command authority over the pump, but not root-of-trust or firmware/signing) -> AT:3. Credible injury: stopping/slowing insulin (hyperglycemia/DKA) or unintended bolus (hypoglycemia) -> PH:4. CVSS C:N, integrity-only; no confidentiality/perception as scored impact -> DP:0, perception_feeds_action false. Crosses RF/device/physical->safety boundary -> boundary_crossing true, CH:2 (single device-control hop, no reusable cross-domain authority bridge). No portable shared key/credential demonstrated; per-pairing window per device -> SR:1. Per-patient proximity, one-at-a-time, not remotely scalable -> SX:1. Mitigations are largely procedural and do not eliminate the RF design weakness; manipulation may be hard for patient to attribute, but recovery is per-device/procedural not fleet reprovision -> OR:2, recovery_needs_fleet_action false. Report/vendor/researcher-confirmed, no in-the-wild use -> EV:2, LS PARTIALLY_MITIGATED.
active_exploitation — false.

Published baseline

v3.1 4.8 MEDIUM — CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N — security via NVD / NVD

The published baseline above is retained for source review. The registry records the reachable consequence path, including deployment-specific cyber-physical consequence, physical/safety impact, scale, and recovery burden.

Sources

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-32537

Score it yourself in the calculator Review this score

Cite this entry:

CFSE Consequence Paths Registry v1.0-candidate, entry CPATH-2026-0037 (“Medtronic MiniMed / NGP 600 series insulin pumps - RF pairing protocol allows bolus/delivery manipulation”), paths.cfse.ai/CPATH-2026-0037 (published 2026-06-03).