Vulnerability Research
MedTech Vulnerability Landscape Report
The most common vulnerabilities found in medical device penetration tests, broken out by device class.
Published: June 15, 2026 · Last reviewed: June 15, 2026
Executive summary
This report quantifies which classes of vulnerabilities medical device manufacturers are most likely to ship — and how the pattern shifts across device categories. The goal is to give product teams a triage map: where to invest hardening effort first based on their device class.
Findings are drawn from anonymized engagement reports across penetration tests and threat-led security assessments completed between 2022 and 2025.
Pending analyst extract and legal review — numeric findings will be populated before the public release.
Methodology
- Sample
- Penetration test engagements completed 2022–2025.
- Time period
- January 2022 – December 2025
- Inclusion criteria
-
- Engagements that produced a final report delivered to the client.
- Findings classified to a CWE category by the testing engineer at delivery time.
- Engagements covering medical devices, embedded MedTech accessories, or SaMD applications.
- Limitations
-
- Sample is not random; engagements were initiated by clients seeking pre-submission testing.
- Severity ratings reflect Blue Goat Cyber's internal CVSS-aligned rubric, not a third-party score.
- Device-class buckets approximate FDA product code groupings but are not 1:1.
- Anonymization
-
- All client and product names removed before analysis; records are keyed by an internal study ID.
- Device-specific identifiers (510(k) numbers, De Novo numbers, UDIs) stripped from the source dataset.
- Findings reported only at aggregate level; minimum cell size of 5 to prevent re-identification.
- Free-text deficiency excerpts paraphrased; no verbatim FDA correspondence is reproduced.
Key findings
-
1. Most common CWE family across all device classes.
internal extract pendingPending extract.
-
2. Cardiac vs. surgical robotics show distinct vulnerability profiles.
internal extract pendingPending extract.
-
3. Average critical-severity findings per engagement.
internal extract pendingPending extract.
Charts
All charts are free to re-use with attribution to Blue Goat Cyber. Each chart has an embed-friendly URL — see the press kit for the iframe snippet.
Top 10 CWE categories across all engagements
internal extract pendingShare of total findings by CWE family.
Source: Blue Goat Cyber penetration test dataset, 2022–2025. · Unit: % of findings
Findings per engagement by device class
internal extract pendingAverage findings per engagement, broken out by device class and severity.
Source: Blue Goat Cyber penetration test dataset, 2022–2025. · Unit: findings per engagement
Severity distribution of findings
internal extract pendingShare of findings rated Critical, High, Medium, or Low.
Source: Blue Goat Cyber penetration test dataset, 2022–2025. · Unit: % of findings
BLE/RF findings by device class
internal extract pendingAverage BLE or radio findings per engagement, by device class.
Source: Blue Goat Cyber BLE/RF testing subset, 2022–2025. · Unit: findings per engagement
Most common vulnerable components observed in SBOMs
internal extract pendingShare of analyzed SBOMs containing a known-vulnerable version of the listed component.
Source: Blue Goat Cyber SBOM analysis dataset, 2023–2025. · Unit: % of SBOMs
Average remediation time by severity
internal extract pendingMedian days from finding disclosure to client-confirmed remediation.
Source: Blue Goat Cyber retest dataset, 2022–2025. · Unit: days (median)
Cite this report
Blue Goat Cyber. (2026). MedTech Vulnerability Landscape Report. https://bluegoatcyber.com/research/medtech-vulnerability-landscape-2026
Sources & references
Primary sources cited in this article. Links open in a new tab.