Full Report
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.2 ATTENTION: Low attack complexity Vendor: Qardio Equipment: Heart Health IOS application, Heart Health Android Application, QardioARM A100 Vulnerabilities: Exposure of Private Personal Information to an Unauthorized Actor, Uncaught Exception, Files or Directories Accessible to External Parties 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to obtain sensitive information, cause a denial-of-service condition, and obtain firmware files. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Qardio products are affected: Qardio Heart Health IOS Mobile Application: Version 2.7.4 Qardio Heart Health Android Mobile Application: Version 2.5.1 QardioARM A100: All versions 3.2 VULNERABILITY OVEERVIEW 3.2.1 EXPOSURE OF PRIVATE PERSONAL INFORMATION TO AN UNAUTHORIZED ACTOR CWE-359 The Qardio Arm iOS application exposes sensitive data such as usernames and passwords in a plist file. This allows an attacker to log in to production-level development accounts and access an engineering backdoor in the application. The engineering backdoor allows the attacker to send hex-based commands over a UI-based terminal. CVE-2025-20615 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.2 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L). A CVSS v4 score has also been calculated for CVE-2025-20615. A base score of 6.9 has been calculated; the CVSS vector string is (AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N). 3.2.2 UNCAUGHT EXCEPTION CWE-248 With a specially crafted Python script, an attacker could send continuous startMeasurement commands over an unencrypted Bluetooth connection to the affected device. This would prevent the device from connecting to a clinician's app to take patient readings and ostensibly flood it with requests, resulting in a denial-of-service condition. CVE-2025-24836 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.1 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2025-24836. A base score of 7.2 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N). 3.2.3 FILES OR DIRECTORIES ACCESSIBLE TO EXTERNAL PARTIES CWE-552 An attacker could obtain firmware files and reverse engineer their intended use leading to loss of confidentiality and integrity of the hardware devices enabled by the Qardio iOS and Android applications. CVE-2025-23421 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.4 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L). A CVSS v4 score has also been calculated for CVE-2025-23421. A base score of 6.9 has been calculated; the CVSS vector string is (AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Bryan Riggins of Insulet Corporation reported these vulnerabilities to CISA. 4. MITIGATIONS Qardio has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of these affected products are invited to contact Qardio customer support for additional information. Users should do the following to help mitigate the risk: Disable Bluetooth when not in use. Don't use this device in public or within Bluetooth range of malicious actors. Only use trusted mobile apps from trusted providers. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities is are not exploitable remotely. 5. UPDATE HISTORY February 13, 2025: Initial Publication
Analysis Summary
# Vulnerability: Qardio Product Suite Multiple Vulnerabilities Leading to PII Exposure, DoS, and Firmware Access
## CVE Details
- CVE ID: CVE-2025-20615, CVE-2025-24836, CVE-2025-23421
- CVSS Score: Up to 7.2 (High/Medium range depending on CVE mapping)
- CVE-2025-20615: CVSS 3.1: 6.2 (Medium); CVSS 4.0: 6.9
- CVE-2025-24836: CVSS 3.1: 7.1 (High); CVSS 4.0: 7.2
- CVE-2025-23421: CVSS 3.1: 6.4 (Medium); CVSS 4.0: 6.9
- CWE: Exposure of Private Personal Information to an Unauthorized Actor (Related to CVE-2025-20615), Uncaught Exception, Files or Directories Accessible to External Parties (General listing)
## Affected Systems
- Products: Qardio Heart Health IOS Mobile Application, Qardio Heart Health Android Mobile Application, QardioARM A100
- Versions:
- iOS App: Version 2.7.4
- Android App: Version 2.5.1
- QardioARM A100: All versions
- Configurations: Related to unencrypted Bluetooth connections (for Denial of Service conditions). Applicable primarily to Healthcare and Public Health sectors globally.
## Vulnerability Description
This advisory covers three distinct vulnerabilities affecting Qardio products:
1. **CVE-2025-20615 (PII Exposure & Backdoor Access):** The Qardio Arm iOS application stores sensitive data, including usernames and passwords, in a readable plist file. This allows an attacker with physical access (or potentially network access depending on storage location) to obtain credentials for production-level development accounts. These credentials grant access to an engineering backdoor within the application, enabling the attacker to send hex-based commands via a UI-based terminal.
2. **CVE-2025-24836 (Denial of Service via Bluetooth):** An attacker equipped with a specially crafted Python script can send continuous `startMeasurement` commands over an unencrypted Bluetooth connection to the QardioARM A100 device. This floods the device with requests, preventing legitimate connection attempts (e.g., with a clinician's app) and causing a Denial of Service (DoS).
3. **CVE-2025-23421 (Firmware Exposure):** An attacker can obtain firmware files for the hardware devices (enabled by the mobile applications), potentially allowing for reverse engineering that leads to confidentiality and integrity compromises of the hardware.
## Exploitation
- Status: No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
- Complexity: Low attack complexity noted for CVE-2025-20615 and CVE-2025-23421. CVE-2025-24836 requires a crafted script.
- Attack Vector:
- CVE-2025-20615: Physical (P) based on CVSS vectors, likely requiring device access to access the plaintext credentials/plist file.
- CVE-2025-24836: Adjacent (A) network access via Bluetooth.
- CVE-2025-23421: Physical (P) based on CVSS vectors, likely requiring device access to obtain firmware files.
## Impact
- Confidentiality: High (PII exposure, firmware details)
- Integrity: High (Ability to send arbitrary commands via backdoor, firmware integrity risk)
- Availability: Low to High (DoS condition in CVE-2025-24836)
## Remediation
### Patches
- Qardio has not responded to requests to work with CISA to mitigate these vulnerabilities. No specific patch versions have been provided in this summary.
### Workarounds
- Disable Bluetooth functionality when not in use.
- Avoid operating or using the device in public areas or within detectable Bluetooth range of potential malicious actors.
- Ensure only trusted mobile applications from trusted providers are used with the device.
## Detection
- Indicators of Compromise: Uncharacteristic connection attempts or high volume of Bluetooth data transmissions targeting the Qardio device. Discovering plaintext credential files associated with Qardio apps on a compromised system.
- Detection methods and tools: Implement monitoring for unusual Bluetooth traffic patterns targeting medical devices. Utilize security tools capable of flagging abnormal file system activity regarding sensitive data storage on mobile endpoints running Qardio applications.
## References
- Vendor advisories: None provided from the vendor in this context.
- Relevant links - defanged:
- [https://github.com/cisagov/CSAF](https://github.com/cisagov/CSAF)
- [https://www.cisa.gov/ics](https://www.cisa.gov/topics/industrial-control-systems)
- [https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf](https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf)
- [https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf](https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf)
- [https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B](https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B)