Vulnerability Research
MedTech Vulnerability Landscape Report
The most common vulnerabilities found in medical device penetration tests, broken out by device class.
Executive summary
This report quantifies which classes of vulnerabilities medical device manufacturers are most likely to ship - and how the pattern shifts across device categories. The goal is to give product teams a triage map: where to invest hardening effort first based on their device class.
Findings are drawn from anonymized engagement reports across penetration tests and threat-led security assessments completed between 2022 and 2025.
Pending analyst extract and legal review - numeric findings will be populated before the public release.
Methodology
- Sample
- Penetration test engagements completed 2022-2025.
- Time period
- January 2022 - December 2025
- Inclusion criteria
-
- Engagements that produced a final report delivered to the client.
- Findings classified to a CWE category by the testing engineer at delivery time.
- Engagements covering medical devices, embedded MedTech accessories, or SaMD applications.
- Limitations
-
- Sample is not random; engagements were initiated by clients seeking pre-submission testing.
- Severity ratings reflect Blue Goat Cyber's internal CVSS-aligned rubric, not a third-party score.
- Device-class buckets approximate FDA product code groupings but are not 1:1.
- Anonymization
-
- All client and product names removed before analysis; records are keyed by an internal study ID.
- Device-specific identifiers (510(k) numbers, De Novo numbers, UDIs) stripped from the source dataset.
- Findings reported only at aggregate level; minimum cell size of 5 to prevent re-identification.
- Free-text deficiency excerpts paraphrased; no verbatim FDA correspondence is reproduced.
Key findings
-
1. Most common CWE family across all device classes.
internal extract pendingPending extract.
-
2. Cardiac vs. surgical robotics show distinct vulnerability profiles.
internal extract pendingPending extract.
-
3. Average critical-severity findings per engagement.
internal extract pendingPending extract.
Charts
All charts are free to re-use with attribution to Blue Goat Cyber. Each chart has an embed-friendly URL - see the press kit for the iframe snippet.
Top 10 CWE categories across all engagements
internal extract pendingShare of total findings by CWE family.
Source: Blue Goat Cyber penetration test dataset, 2022-2025. · Unit: % of findings
Findings per engagement by device class
internal extract pendingAverage findings per engagement, broken out by device class and severity.
Source: Blue Goat Cyber penetration test dataset, 2022-2025. · Unit: findings per engagement
Severity distribution of findings
internal extract pendingShare of findings rated Critical, High, Medium, or Low.
Source: Blue Goat Cyber penetration test dataset, 2022-2025. · Unit: % of findings
BLE/RF findings by device class
internal extract pendingAverage BLE or radio findings per engagement, by device class.
Source: Blue Goat Cyber BLE/RF testing subset, 2022-2025. · Unit: findings per engagement
Most common vulnerable components observed in SBOMs
internal extract pendingShare of analyzed SBOMs containing a known-vulnerable version of the listed component.
Source: Blue Goat Cyber SBOM analysis dataset, 2023-2025. · Unit: % of SBOMs
Average remediation time by severity
internal extract pendingMedian days from finding disclosure to client-confirmed remediation.
Source: Blue Goat Cyber retest dataset, 2022-2025. · Unit: days (median)
Cite this report
Blue Goat Cyber. (2026). MedTech Vulnerability Landscape Report. https://bluegoatcyber.com/research/medtech-vulnerability-landscape-2026
Sources & references
Primary sources cited in this article. Links open in a new tab.