BGC Risk Score
Blue Goat Cyber MedTech rubric v1.0 · methodology
Not published
No direct patient impact inferred
On CISA KEV (in-the-wild)
7/10 network-reachable signals
How we got to 4.5
- 1
CVSS technical severity (40%)
Industry-standard exploitability + impact score. We prefer CVSS 4.0 and fall back to 3.1 per the FDA's Feb 2026 premarket cybersecurity guidance. Missing CVSS scores get a neutral 4.0 so unknown vulns are not over- or under-rated.
No CVSS published yet · neutral 4.0 × 40% = +1.60 - 2
Patient safety impact (35%)
What happens to a patient if this vuln is exploited on a connected device. Auto-inferred from headline, dek, tags, and device class against a curated MedTech keyword library (pacemaker, infusion pump, EHR, PACS, etc.).
No direct patient impact inferred → 2 × 35% = +0.70 - 3
Exploit maturity (15%)
Is anyone actually using this in attacks? KEV listing > weaponized exploit > public PoC > none. KEV alone forces tier=critical regardless of CVSS.
On CISA KEV (in-the-wild) → 10 × 15% = +1.50 - 4
MedTech exposure (10%)
How likely this affects clinical operations: presence in our MedTech feed (+4 baseline), network-reachable signals (+3), known device-class tags (+2), identified MedTech vendor (+1).
Exposure 7/10 × 10% = +0.70
Tier cutoffs: Critical ≥ 8.5 · High 7.0–8.4 · Notable 4.0–6.9 · Info < 4.0. Full methodology, weights, and changelog at /goatfeed/risk-rubric.
CVE: CVE-2026-32202
CVSS v3.1: 4.3 (MEDIUM) - `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N`
Weakness: CWE-693
Vendor / product: Microsoft Windows
KEV added: 2026-04-28 · Federal due date: 2026-05-12
Vulnerability
Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network.
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.