Security Advisories


August 14, 2019 - Product Security Notification for DICOM Vulnerability

Johnson & Johnson is aware of the recently published DICOM (Digital Imaging and Communications in Medicine) vulnerability identified as CVE-2019-11687. The DICOM standard is the international standard to transmit, store, retrieve, print, process, and display medical imaging information. This vulnerability is in the preamble defined by the DICOM File format, which could allow DICOM files stored on the media to have executable malware inserted.

We have analyzed our products and determined that the DICOM Vulnerability poses a low risk across products from the Johnson & Johnson Family of Companies. We have security controls in place to prevent exploitation of the vulnerability.

Additional details per product can be found in the advisory below:

If you are concerned that a product of the Johnson & Johnson Family of Companies has been impacted by a Cyber-attack related to this vulnerability, please immediately disconnect the system from your network and contact the Product Security Team at productsecurity@its.jnj.com.


May 24, 2019 - Product Security Notification for Microsoft Remote Desktop Services Vulnerability
(Updated May 31st, 2019)

Johnson & Johnson is currently monitoring the Remote Desktop Services remote code execution vulnerability (CVE-2019-0708), which was announced by Microsoft on May 14, 2019. This vulnerability affects systems that use remote desktop services on Windows XP, Windows 7, Windows 2003 and Windows 2008.

The vulnerability could allow an unauthenticated remote attacker to connect and run arbitrary code on the targeted system. This vulnerability is pre-authentication and requires no user interaction making it a "wormable" vulnerability, meaning an exploit could potentially spread quickly to other systems.

To address this vulnerability, Microsoft has released a patch along with security guidance on mitigations/workarounds. They recommend that the patch be installed, or mitigation be completed, as soon as possible.
Security Guidance and downloads Link

We are currently investigating the impact of this vulnerability on our products. If any further action is required, any product-specific updates and information will be distributed directly to customers.

Additional details per product can be found in the advisories below:

If you are concerned that a product of the Johnson & Johnson Family of Companies has been impacted by a Cyber-attack related to this vulnerability, please immediately disconnect the system from your network and contact the Product Security Team at productsecurity@its.jnj.com.



April 9, 2018 - Product Security Notification for Biosense Webster CARTO® 3

Biosense Webster, Inc. (BWI) reported controlled risk in the CARTO® 3 System related to operating system security patches and anti-virus signatures. BWI has produced a software update that applies operating system patches and anti-virus signature updates to close known vulnerabilities in the operating system of the affected product. This update will be applied to CARTO® 3 Systems starting in April 2018, as part of the free-of-charge CARTO® 3 Version 6 (V6) base software version, which is designed to upgrade compatible CARTO® 3 Systems running Version 4 (V4) and above. Additional details can be found in the advisory here:



January 12, 2018 - Product Security Notification for Meltdown and Spectre
(Updated April 12th, 2018)

Meltdown and Spectre vulnerabilities (https://www.us-cert.gov/ncas/alerts/TA18-004A) are two techniques that circumvent security in Windows, Mac, and Linux operating systems and have the capability to access passwords, proprietary and personal information, and/or encrypted communications that have been processed by computers, cloud servers, embedded devices, medical devices and smartphones.

We have determined that Meltdown and Spectre vulnerabilities pose a low risk across products from the Johnson & Johnson Family of Companies due to the required access to the underlying Operating System and additional security controls that must be defeated to exploit these vulnerabilities. There have been no reports of active exploitation to date involving our products.

As patches are provided by CPU and Operating System manufacturers, we are committed to investigating, testing, and applying necessary updates where appropriate. Customers with additional product or site-specific concerns should contact their sales or service representative. Any product-specific updates and information will be distributed directly to customers.

If you are concerned that a product of the Johnson & Johnson Family of Companies has been compromised, please immediately disconnect the system from your network and contact your service representative and/or productsecurity@its.jnj.com.



January 9, 2018 - Product Security Notification for Ethicon Generator Gen11

Ethicon Endo-Surgery, Inc. (Ethicon) is issuing a field cybersecurity routine update and patch to address a cybersecurity software vulnerability of the Gen11 when used with non-OEM devices. The identified risk associated with the Gen11 cybersecurity software vulnerability is considered a controlled risk. Additional details can be found at the DHS ICS-CERT website: Ethicon Generator Gen11



June 29, 2017 - Product Security Notification for Nyetya

Johnson & Johnson is currently monitoring the Nyetya threat (also referred to as Petya, NotPetya) that has been reported to affect companies worldwide. The Nyetya ransomware uses the same EternalBlue exploit on Windows SMBv1 vulnerabilities as the recent Wannacry ransomware attacks. Customers should refer to the below bulletins on Wannacry for additional information related to products and services provided by the Johnson & Johnson Family of Companies. This information will be updated if necessary. If you are concerned a product of the Johnson & Johnson Family of Companies has been impacted by this Cyber-attack, please immediately disconnect the system from your network and contact your service representative and/or productsecurity@its.jnj.com.


June 2, 2017 - Product Security Notification for WannaCry Ransomware
(Updated August 7th, 2017)

On May 12, 2017, a Ransomware Cyber-attack took place impacting institutions, including hospitals and utility companies, across the world. The WannaCry Ransomware takes advantage of a vulnerability within the Microsoft operating system to essentially “lock” access to the system and/or its data, demanding payment of a fee to unlock the device/data. A security patch is available from Microsoft for this specific vulnerability, MS17-010.

J&J recognizes that cybersecurity threats are constantly evolving. We have robust processes and systems in place to safeguard our networks, our products and our data which we regularly and consistently update. We believe in the strategy we have in place for protecting Johnson & Johnson. There has been no business impact to our internal networks or safety risk to our products as a result of the recent ransomware attacks.

Additional details per product can be found in the advisories below:


At Johnson & Johnson, we are continuing to monitor the situation and the potential impact it may have on products and services provided by the Johnson & Johnson Family of Companies. If you are concerned a product of the Johnson & Johnson Family of Companies has been impacted by this Cyber-attack, please immediately disconnect the system from your network and contact your service technician and/or productsecurity@its.jnj.com