{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-23421", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2025-02-10T15:16:25.237Z", "datePublished": "2025-02-13T21:50:44.082Z", "dateUpdated": "2025-02-14T15:46:37.858Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Heart Health IOS Mobile Application", "vendor": "Qardio", "versions": [{"status": "affected", "version": "2.7.4"}]}, {"defaultStatus": "unaffected", "product": "Heart Health Android Mobile Application", "vendor": "Qardio", "versions": [{"status": "affected", "version": "2.5.1"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bryan Riggins of Insulet Corporation reported these vulnerabilities to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An attacker could obtain firmware files and reverse engineer their \nintended use leading to loss of confidentiality and integrity of the \nhardware devices enabled by the Qardio iOS and Android applications."}], "value": "An attacker could obtain firmware files and reverse engineer their \nintended use leading to loss of confidentiality and integrity of the \nhardware devices enabled by the Qardio iOS and Android applications."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "PHYSICAL", "baseScore": 6.9, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-552", "description": "CWE-552 Files or Directories Accessible to External Parties", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-02-13T21:50:44.082Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-044-01"}, {"url": "https://www.qardio.com/about-us/#contact"}], "source": {"advisory": "ICSMA-25-044-01", "discovery": "EXTERNAL"}, "title": "Qardio iOS and Android applications Files or Directories Accessible to External Parties", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Qardio has not responded to requests to work with CISA to mitigate these\n vulnerabilities. Users of these affected products are invited to \ncontact <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.qardio.com/about-us/#contact\">Qardio customer support</a> for additional information.\n<p>Users should do the following to help mitigate the risk:</p>\n<ul>\n<li>Disable Bluetooth when not in use.</li>\n<li>Don't use this device in public or within Bluetooth range of malicious actors.</li>\n<li>Only use trusted mobile apps from trusted providers.</li>\n</ul>\n\n<br>"}], "value": "Qardio has not responded to requests to work with CISA to mitigate these\n vulnerabilities. Users of these affected products are invited to \ncontact Qardio customer support https://www.qardio.com/about-us/#contact for additional information.\nUsers should do the following to help mitigate the risk:\n\n\n\n * Disable Bluetooth when not in use.\n\n * Don't use this device in public or within Bluetooth range of malicious actors.\n\n * Only use trusted mobile apps from trusted providers."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-14T15:36:23.291738Z", "id": "CVE-2025-23421", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-14T15:46:37.858Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-23421", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-14T15:36:23.291738Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-14T15:36:25.290Z"}}], "cna": {"title": "Qardio iOS and Android applications Files or Directories Accessible to External Parties", "source": {"advisory": "ICSMA-25-044-01", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Bryan Riggins of Insulet Corporation reported these vulnerabilities to CISA."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Qardio", "product": "Heart Health IOS Mobile Application", "versions": [{"status": "affected", "version": "2.7.4"}], "defaultStatus": "unaffected"}, {"vendor": "Qardio", "product": "Heart Health Android Mobile Application", "versions": [{"status": "affected", "version": "2.5.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-044-01"}, {"url": "https://www.qardio.com/about-us/#contact"}], "workarounds": [{"lang": "en", "value": "Qardio has not responded to requests to work with CISA to mitigate these\n vulnerabilities. Users of these affected products are invited to \ncontact Qardio customer support https://www.qardio.com/about-us/#contact for additional information.\nUsers should do the following to help mitigate the risk:\n\n\n\n * Disable Bluetooth when not in use.\n\n * Don't use this device in public or within Bluetooth range of malicious actors.\n\n * Only use trusted mobile apps from trusted providers.", "supportingMedia": [{"type": "text/html", "value": "Qardio has not responded to requests to work with CISA to mitigate these\n vulnerabilities. Users of these affected products are invited to \ncontact <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.qardio.com/about-us/#contact\">Qardio customer support</a> for additional information.\n<p>Users should do the following to help mitigate the risk:</p>\n<ul>\n<li>Disable Bluetooth when not in use.</li>\n<li>Don't use this device in public or within Bluetooth range of malicious actors.</li>\n<li>Only use trusted mobile apps from trusted providers.</li>\n</ul>\n\n<br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An attacker could obtain firmware files and reverse engineer their \nintended use leading to loss of confidentiality and integrity of the \nhardware devices enabled by the Qardio iOS and Android applications.", "supportingMedia": [{"type": "text/html", "value": "An attacker could obtain firmware files and reverse engineer their \nintended use leading to loss of confidentiality and integrity of the \nhardware devices enabled by the Qardio iOS and Android applications.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-552", "description": "CWE-552 Files or Directories Accessible to External Parties"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-02-13T21:50:44.082Z"}}}, "cveMetadata": {"cveId": "CVE-2025-23421", "state": "PUBLISHED", "dateUpdated": "2025-02-14T15:46:37.858Z", "dateReserved": "2025-02-10T15:16:25.237Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2025-02-13T21:50:44.082Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker could obtain firmware files and reverse engineer their \nintended use leading to loss of confidentiality and integrity of the \nhardware devices enabled by the Qardio iOS and Android applications."}], "id": "CVE-2025-23421", "lastModified": "2025-02-13T22:15:12.073", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.5, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "PHYSICAL", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "LOW", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2025-02-13T22:15:12.073", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-044-01"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.qardio.com/about-us/#contact"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-552"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}