BGC Risk Score
Blue Goat Cyber MedTech rubric v1.0 · methodology
Not published
No direct patient impact inferred
On CISA KEV (in-the-wild)
4/10 network-reachable signals
How we got to 4.2
- 1
CVSS technical severity (40%)
Industry-standard exploitability + impact score. We prefer CVSS 4.0 and fall back to 3.1 per the FDA's Feb 2026 premarket cybersecurity guidance. Missing CVSS scores get a neutral 4.0 so unknown vulns are not over- or under-rated.
No CVSS published yet · neutral 4.0 × 40% = +1.60 - 2
Patient safety impact (35%)
What happens to a patient if this vuln is exploited on a connected device. Auto-inferred from headline, dek, tags, and device class against a curated MedTech keyword library (pacemaker, infusion pump, EHR, PACS, etc.).
No direct patient impact inferred → 2 × 35% = +0.70 - 3
Exploit maturity (15%)
Is anyone actually using this in attacks? KEV listing > weaponized exploit > public PoC > none. KEV alone forces tier=critical regardless of CVSS.
On CISA KEV (in-the-wild) → 10 × 15% = +1.50 - 4
MedTech exposure (10%)
How likely this affects clinical operations: presence in our MedTech feed (+4 baseline), network-reachable signals (+3), known device-class tags (+2), identified MedTech vendor (+1).
Exposure 4/10 × 10% = +0.40
Tier cutoffs: Critical ≥ 8.5 · High 7.0–8.4 · Notable 4.0–6.9 · Info < 4.0. Full methodology, weights, and changelog at /goatfeed/risk-rubric.
CVE: CVE-2023-41974
Vendor / product: Apple iOS and iPadOS
KEV added: 2026-03-05 · Federal due date: 2026-03-26
Vulnerability
Apple iOS and iPadOS contain a use-after-free vulnerability. An app may be able to execute arbitrary code with kernel privileges.
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.