CVE-2025-24836
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
Summary
With a specially crafted Python script, an attacker could send continuous startMeasurement commands over an unencrypted Bluetooth connection to the affected device. This would prevent the device from connecting to a clinician's app to take patient readings and ostensibly flood it with requests, resulting in a denial-of-service condition.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Qardio | Heart Health IOS Mobile Application | 2.7.4 | affected |
| Qardio | Heart Health Android Mobile Application | 2.5.1 | affected |
| Qardio | QardioARM | All versions | affected |
Weaknesses
- CWE-248: CWE-248
Workarounds
Qardio has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of these affected products are invited to contact Qardio customer support https://www.qardio.com/about-us/#contact for additional information. Users should do the following to help mitigate the risk:
Disable Bluetooth when not in use.
Don't use this device in public or within Bluetooth range of malicious actors.
Only use trusted mobile apps from trusted providers.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-044-01
- https://www.qardio.com/about-us/#contact
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.