Full Report
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Dario Health Equipment: USB-C Blood Glucose Monitoring System Starter Kit Android Application, Application Database and Internet-based Server Infrastructure Vulnerabilities: Exposure of Private Personal Information to an Unauthorized Actor, Improper Output Neutralization For Logs, Storage of Sensitive Data In a Mechanism Without Access Control, Cleartext Transmission of Sensitive Information, Cross-site Scripting (XSS), Sensitive Cookie Without 'HttpOnly' Flag, Exposure of Sensitive Information Due To Incompatible Policies 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to expose information, inject code, manipulate data, or achieve cross-site scripting (XSS), resulting in full session compromise. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Dario Health products are affected: USB-C Blood Glucose Monitoring System Starter Kit Android Applications: Versions 5.8.7.0.36 and prior Dario Application Database and Internet-based Server Infrastructure: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 EXPOSURE OF PRIVATE PERSONAL INFORMATION TO AN UNAUTHORIZED ACTOR CWE-359 An attacker could expose cross-user Personal Identifiable Information (PII) and personal health information transmitted to the Android device via the Dario Health application database. CVE-2025-20060 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). A CVSS v4 score has also been calculated for CVE-2025-20060. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N). 3.2.2 IMPROPER OUTPUT NEUTRALIZATION FOR LOGS CWE-117 Unauthenticated log effects metrics gathering incident response efforts and potentially exposes risk of injection attacks (ex log injection). CVE-2025-23405 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). A CVSS v4 score has also been calculated for CVE-2025-23405. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N). 3.2.3 STORAGE OF SENSITIVE DATA IN A MECHANISM WITHOUT ACCESS CONTROL CWE-921 Insecure file retrieval process that facilitates potential for file manipulation to affect product stability and confidentiality, integrity, authenticity, and attestation of stored data. CVE-2025-24843 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L). A CVSS v4 score has also been calculated for CVE-2025-24843. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N). 3.2.4 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319 Lack of encryption in transit for cloud infrastructure facilitating potential for sensitive data manipulation or exposure. CVE-2025-24849 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.1 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2025-24849. A base score of 7.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N). 3.2.5 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79 The Dario Health portal service application is vulnerable to XSS, which could allow an attacker to obtain sensitive information. CVE-2025-20049 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N). A CVSS v4 score has also been calculated for CVE-2025-20049. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H). 3.2.6 SENSITIVE COOKIE WITHOUT 'HTTPONLY' FLAG CWE-1004 Cookie policy is observable via built-in browser tools. In the presence of XSS, this could lead to full session compromise. CVE-2025-24318 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N). A CVSS v4 score has also been calculated for CVE-2025-24318. A base score of 5.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N). 3.2.7 EXPOSURE OF SENSITIVE INFORMATION DUE TO INCOMPATIBLE POLICIES CWE-213 The Dario Health Internet-based server infrastructure is vulnerable due to exposure of development environment details, which could lead to unsafe functionality. CVE-2025-24316 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). A CVSS v4 score has also been calculated for CVE-2025-24316. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Noah Cutler and Manuel Del Rio of Accenture reported these vulnerabilities to CISA. 4. MITIGATIONS Dario Health recommends users update their Dario Health Android mobile application to the latest version. No other actions are required by users. Dario Health recommends users perform the following mitigations: Update the application from trusted sources. Don't use rooted/jailbroken devices. Avoid public untrusted networks For more information contact Dario Health directly. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. 5. UPDATE HISTORY February 27, 2025: Initial Publication
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Dario Health Diabetes Management System
## CVE Details
- CVE ID: Multiple (CVE-2025-20060, CVE-2025-23405, CVE-2025-24843, CVE-2025-24849, CVE-2025-20049)
- CVSS Score: Up to **8.7 (High)** (v4 for CVE-2025-20060)
- CWE: PII Exposure, Improper Output Neutralization, Access Control Issues, Cleartext Transmission, XSS, Insecure Cookie Handling.
## Affected Systems
- Products:
- USB-C Blood Glucose Monitoring System Starter Kit Android Applications
- Dario Application Database and Internet-based Server Infrastructure
- Dario Health portal service application
- Versions:
- Android Applications: Versions **5.8.7.0.36 and prior**
- Application Database and Server Infrastructure: **All versions**
- Configurations: Not specified, but several issues relate to network transmission and application use.
## Vulnerability Description
This advisory covers multiple vulnerabilities affecting Dario Health products that could lead to information disclosure, code injection, data manipulation, and session hijacking. Key issues include:
1. **CVE-2025-20060 (CVSS v4: 8.7):** Exposure of cross-user Personally Identifiable Information (PII) and personal health information transmitted to the Android device via the application database.
2. **CVE-2025-23405 (CVSS v4: 6.9):** Unauthenticated log effects gathering, potentially exposing risk of injection attacks (e.g., log injection).
3. **CVE-2025-24843 (CVSS v4: 5.1):** Insecure file retrieval process potentially allowing file manipulation, affecting stability, confidentiality, integrity, authenticity, and data attestation.
4. **CVE-2025-24849 (CVSS v4: 7.5):** Lack of encryption in transit for cloud infrastructure, potentially leading to sensitive data manipulation or exposure.
5. **CVE-2025-20049 (CVSS v4: 7.1):** Cross-Site Scripting (XSS) vulnerability in the Dario Health portal service application, allowing an attacker to obtain sensitive information.
6. **Unidentified CVE:** Sensitive Cookie Without 'HttpOnly' Flag, which, combined with XSS, could lead to full session compromise.
## Exploitation
- Status: **No known public exploitation** specifically targeting these vulnerabilities has been reported to CISA at this time.
- Complexity: **Low** (Stated for the highest severity finding; implies remote, unauthenticated, low-complexity initial access for some flaws).
- Attack Vector: **Network** (for PII exposure, cleartext transmission, XSS) and potentially **Local/Adjacent** (for file manipulation).
## Impact
- Confidentiality: **High** (Exposure of PII and health data).
- Integrity: **High** (Data manipulation potential via file retrieval flaw and potential injection attacks).
- Availability: **Medium/Low** (Potential impact on stability due to file manipulation).
## Remediation
### Patches
The provided context does **not** list specific patch versions released by Dario Health. Users must refer to the vendor advisory for specific version updates.
### Workarounds
The context primarily offers general cybersecurity hardening recommendations, which should be applied:
* Isolate ICS/health systems from corporate and internet networks using firewalls.
* When remote access is necessary, use secure methods like Virtual Private Networks (VPNs) and ensure VPNs are fully updated.
* Implement Defense-in-Depth strategies.
## Detection
The article does not provide specific IoCs or detection signatures for these security flaws. General detection strategies related to the identified flaw types include:
* Monitoring application and server logs for signs of injection attempts or abnormal unauthenticated activity (regarding CVE-2025-23405).
* Monitoring network traffic for unencrypted communications containing sensitive identifiers or health data (regarding cleartext transmission).
* Using web application firewalls/security scanners to detect potential XSS payloads against the portal application.
## References
- Vendor Advisory: Refer to the Dario Health vendor advisory for resolution details.
- Related CISA Document: View CSAF (link provided in context)
- General Guidance:
- Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies: hxxps://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
- Cybersecurity Best Practices for Industrial Control Systems: hxxps://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf
- ICS-TIP-12-146-01B (Intrusion Detection): hxxps://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B
- Recognizing and Avoiding Email Scams: hxxps://www.cisa.gov/uscert/sites/default/files/publications/emailscams0905.pdf
- Avoiding Social Engineering and Phishing Attacks: hxxps://www.cisa.gov/uscert/ncas/tips/ST04-014