CVE-2025-24836

Summary

With a specially crafted Python script, an attacker could send continuous startMeasurement commands over an unencrypted Bluetooth connection to the affected device. This would prevent the device from connecting to a clinician's app to take patient readings and ostensibly flood it with requests, resulting in a denial-of-service condition.

Affected Software

VendorProductVersion RangeStatus
QardioHeart Health IOS Mobile Application2.7.4affected
QardioHeart Health Android Mobile Application2.5.1affected
QardioQardioARMAll versionsaffected

Weaknesses

  • CWE-248: CWE-248

Workarounds

Qardio has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of these affected products are invited to contact Qardio customer support https://www.qardio.com/about-us/#contact for additional information. Users should do the following to help mitigate the risk:

  • Disable Bluetooth when not in use.

  • Don't use this device in public or within Bluetooth range of malicious actors.

  • Only use trusted mobile apps from trusted providers.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References