In this issue
-
FDA & US regulatory
Letters, guidance, enforcement
-
CISA KEV & CVEs
Vulnerabilities in your SBOM
-
Standards & international
AAMI, ISO, IEC, EU MDCG
-
What to do this week
Concrete actions for security leads
The recent addition of multiple embedded vulnerabilities to the CISA Known Exploited Vulnerabilities catalog signals a shift in federal oversight for medical device manufacturers. Regulatory pressure is mounting as the FDA increases the frequency of postmarket update letters focused on vulnerability disclosure and software bill of materials maintenance.
While this week has been relatively quiet, the last 90 days have seen significant movements in both regulatory expectations and technical requirements. Manufacturers must navigate new entries in the Known Exploited Vulnerabilities (KEV) catalog and emerging standards from AAMI that clarify how security risk management should be documented and traced.
This recap summarizes the most critical developments from the past quarter to help security and regulatory leads ensure their compliance posture remains current.
Key Takeaways
- CISA added a Linux kernel netfilter vulnerability (CVE-2026-0511) to the KEV catalog, impacting embedded systems.
- A widely used Bluetooth Low Energy (BLE) pairing bypass is now on the KEV, moving the needle from monitoring to active remediation.
- The FDA is issuing more postmarket cybersecurity update letters citing missing Coordinated Vulnerability Disclosure (CVD) links.
- A new draft amendment for ANSI/AAMI SW96 aims to tighten the traceability between threat models and design controls.
In this brief
- Why This Matters
- Linux Kernel Netfilter Vulnerability Added to KEV
- Embedded BLE Pairing Bypass Triggers Regulatory Action
- AAMI SW96 Amendment Clarifies Traceability Requirements
- FDA Increases Postmarket Cybersecurity Update Letter Cadence
- What to do this week
- How Blue Goat Cyber Helps
- FAQ
Why This Matters
For medical device manufacturers, a KEV listing is no longer just a federal agency requirement. It serves as a benchmark for what the FDA and hospital procurement teams consider "known risks" that require immediate attention. Failing to address these items or maintain an accurate SBOM can lead to administrative delays in market cleared devices and increased scrutiny during premarket submissions.
Linux Kernel Netfilter Vulnerability Added to KEV
On April 22, 2026, CISA added a use-after-free vulnerability in the Linux kernel netfilter (CVE-2026-0511) to the KEV catalog.
Embedded BLE Pairing Bypass Triggers Regulatory Action
CISA also added a Bluetooth Low Energy (BLE) pairing bypass to the KEV on April 15, 2026.
AAMI SW96 Amendment Clarifies Traceability Requirements
In late March, a draft for ANSI/AAMI SW96 Amendment 1 was circulated for member review.
FDA Increases Postmarket Cybersecurity Update Letter Cadence
Analysis from Blue Goat Cyber shows a year over year jump in the number of postmarket cybersecurity update letters issued by the FDA.
How Blue Goat Cyber Helps
Blue Goat Cyber provides specialized cybersecurity services for medical device manufacturers, including penetration testing and regulatory strategy. Our team works with you to bridge the gap between technical security findings and FDA compliance requirements. To learn more about how we can support your premarket or postmarket efforts, visit our services page.
FAQ
What is a CVD URL? It is a dedicated web address where external researchers can find instructions on how to securely report vulnerabilities found in your devices.
Does a KEV listing require a mandatory recall? No, but it typically requires a formal risk assessment and a communicated plan for mitigation or patching to the FDA and users.
How often should an SBOM be updated? The FDA increasingly expects an SBOM update at least every 12 months or whenever a significant change is made to the software.
Get the next issue
To stay informed on the latest medical device security trends, subscribe at /news/the-goats-weekly.