CVE-2025-20615

Summary

The Qardio Arm iOS application exposes sensitive data such as usernames and passwords in a plist file. This allows an attacker to log in to production-level development accounts and access an engineering backdoor in the application. The engineering backdoor allows the attacker to send hex-based commands over a UI-based terminal.

Affected Software

VendorProductVersion RangeStatus
QardioHeart Health IOS Mobile Application2.7.4affected

Weaknesses

  • CWE-359: CWE-359

Workarounds

Qardio has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of these affected products are invited to contact Qardio customer support https://www.qardio.com/about-us/#contact for additional information. Users should do the following to help mitigate the risk:

  • Disable Bluetooth when not in use.

  • Don't use this device in public or within Bluetooth range of malicious actors.

  • Only use trusted mobile apps from trusted providers.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References