BGC Risk Score
Blue Goat Cyber MedTech rubric v1.0 · methodology
Not published
No direct patient impact inferred
On CISA KEV (in-the-wild)
4/10 network-reachable signals
How we got to 4.2
- 1
CVSS technical severity (40%)
Industry-standard exploitability + impact score. We prefer CVSS 4.0 and fall back to 3.1 per the FDA's Feb 2026 premarket cybersecurity guidance. Missing CVSS scores get a neutral 4.0 so unknown vulns are not over- or under-rated.
No CVSS published yet · neutral 4.0 × 40% = +1.60 - 2
Patient safety impact (35%)
What happens to a patient if this vuln is exploited on a connected device. Auto-inferred from headline, dek, tags, and device class against a curated MedTech keyword library (pacemaker, infusion pump, EHR, PACS, etc.).
No direct patient impact inferred → 2 × 35% = +0.70 - 3
Exploit maturity (15%)
Is anyone actually using this in attacks? KEV listing > weaponized exploit > public PoC > none. KEV alone forces tier=critical regardless of CVSS.
On CISA KEV (in-the-wild) → 10 × 15% = +1.50 - 4
MedTech exposure (10%)
How likely this affects clinical operations: presence in our MedTech feed (+4 baseline), network-reachable signals (+3), known device-class tags (+2), identified MedTech vendor (+1).
Exposure 4/10 × 10% = +0.40
Tier cutoffs: Critical ≥ 8.5 · High 7.0–8.4 · Notable 4.0–6.9 · Info < 4.0. Full methodology, weights, and changelog at /goatfeed/risk-rubric.
CVE: CVE-2026-20805
Vendor / product: Microsoft Windows
KEV added: 2026-01-13 · Federal due date: 2026-02-03
Vulnerability
Microsoft Windows Desktop Windows Manager contains an information disclosure vulnerability that allows an authorized attacker to disclose information locally.
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.