CVE-2025-23421 (GCVE-0-2025-23421)

Vulnerability from cvelistv5 – Published: 2025-02-13 21:50 – Updated: 2025-02-14 15:46
VLAI?
Title
Qardio iOS and Android applications Files or Directories Accessible to External Parties
Summary
An attacker could obtain firmware files and reverse engineer their intended use leading to loss of confidentiality and integrity of the hardware devices enabled by the Qardio iOS and Android applications.
Severity ?
6.4 (Medium)
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
6.9 (Medium)
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
CWE
  • CWE-552 - Files or Directories Accessible to External Parties
Assigner
References
Impacted products
Vendor Product Version
Qardio Heart Health IOS Mobile Application Affected: 2.7.4
Create a notification for this product.
Credits
Bryan Riggins of Insulet Corporation reported these vulnerabilities to CISA.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-23421",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-14T15:36:23.291738Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-14T15:46:37.858Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Heart Health IOS Mobile Application",
          "vendor": "Qardio",
          "versions": [
            {
              "status": "affected",
              "version": "2.7.4"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Heart Health Android Mobile Application",
          "vendor": "Qardio",
          "versions": [
            {
              "status": "affected",
              "version": "2.5.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Bryan Riggins of Insulet Corporation reported these vulnerabilities to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An attacker could obtain firmware files and reverse engineer their \nintended use leading to loss of confidentiality and integrity of the \nhardware devices enabled by the Qardio iOS and Android applications."
            }
          ],
          "value": "An attacker could obtain firmware files and reverse engineer their \nintended use leading to loss of confidentiality and integrity of the \nhardware devices enabled by the Qardio iOS and Android applications."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "LOW",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "PHYSICAL",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-552",
              "description": "CWE-552 Files or Directories Accessible to External Parties",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-13T21:50:44.082Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-044-01"
        },
        {
          "url": "https://www.qardio.com/about-us/#contact"
        }
      ],
      "source": {
        "advisory": "ICSMA-25-044-01",
        "discovery": "EXTERNAL"
      },
      "title": "Qardio iOS and Android applications Files or Directories Accessible to External Parties",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Qardio has not responded to requests to work with CISA to mitigate these\n vulnerabilities. Users of these affected products are invited to \ncontact \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.qardio.com/about-us/#contact\"\u003eQardio customer support\u003c/a\u003e for additional information.\n\u003cp\u003eUsers should do the following to help mitigate the risk:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDisable Bluetooth when not in use.\u003c/li\u003e\n\u003cli\u003eDon\u0027t use this device in public or within Bluetooth range of malicious actors.\u003c/li\u003e\n\u003cli\u003eOnly use trusted mobile apps from trusted providers.\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Qardio has not responded to requests to work with CISA to mitigate these\n vulnerabilities. Users of these affected products are invited to \ncontact  Qardio customer support https://www.qardio.com/about-us/#contact  for additional information.\nUsers should do the following to help mitigate the risk:\n\n\n\n  *  Disable Bluetooth when not in use.\n\n  *  Don\u0027t use this device in public or within Bluetooth range of malicious actors.\n\n  *  Only use trusted mobile apps from trusted providers."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2025-23421",
    "datePublished": "2025-02-13T21:50:44.082Z",
    "dateReserved": "2025-02-10T15:16:25.237Z",
    "dateUpdated": "2025-02-14T15:46:37.858Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-23421\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2025-02-13T22:15:12.073\",\"lastModified\":\"2025-02-13T22:15:12.073\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An attacker could obtain firmware files and reverse engineer their \\nintended use leading to loss of confidentiality and integrity of the \\nhardware devices enabled by the Qardio iOS and Android applications.\"},{\"lang\":\"es\",\"value\":\"Un atacante podr\u00eda obtener archivos de firmware y realizar ingenier\u00eda inversa para su uso previsto, lo que provocar\u00eda la p\u00e9rdida de confidencialidad e integridad de los dispositivos de hardware habilitados por las aplicaciones Qardio para iOS y Android.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"PHYSICAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"PHYSICAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":0.9,\"impactScore\":5.5}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-552\"}]}],\"references\":[{\"url\":\"https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-044-01\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://www.qardio.com/about-us/#contact\",\"source\":\"ics-cert@hq.dhs.gov\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-23421\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-14T15:36:23.291738Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-14T15:36:25.290Z\"}}], \"cna\": {\"title\": \"Qardio iOS and Android applications Files or Directories Accessible to External Parties\", \"source\": {\"advisory\": \"ICSMA-25-044-01\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Bryan Riggins of Insulet Corporation reported these vulnerabilities to CISA.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.4, \"attackVector\": \"PHYSICAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 6.9, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"PHYSICAL\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Qardio\", \"product\": \"Heart Health IOS Mobile Application\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.7.4\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Qardio\", \"product\": \"Heart Health Android Mobile Application\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.5.1\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-044-01\"}, {\"url\": \"https://www.qardio.com/about-us/#contact\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Qardio has not responded to requests to work with CISA to mitigate these\\n vulnerabilities. Users of these affected products are invited to \\ncontact  Qardio customer support https://www.qardio.com/about-us/#contact  for additional information.\\nUsers should do the following to help mitigate the risk:\\n\\n\\n\\n  *  Disable Bluetooth when not in use.\\n\\n  *  Don\u0027t use this device in public or within Bluetooth range of malicious actors.\\n\\n  *  Only use trusted mobile apps from trusted providers.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Qardio has not responded to requests to work with CISA to mitigate these\\n vulnerabilities. Users of these affected products are invited to \\ncontact \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://www.qardio.com/about-us/#contact\\\"\u003eQardio customer support\u003c/a\u003e for additional information.\\n\u003cp\u003eUsers should do the following to help mitigate the risk:\u003c/p\u003e\\n\u003cul\u003e\\n\u003cli\u003eDisable Bluetooth when not in use.\u003c/li\u003e\\n\u003cli\u003eDon\u0027t use this device in public or within Bluetooth range of malicious actors.\u003c/li\u003e\\n\u003cli\u003eOnly use trusted mobile apps from trusted providers.\u003c/li\u003e\\n\u003c/ul\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An attacker could obtain firmware files and reverse engineer their \\nintended use leading to loss of confidentiality and integrity of the \\nhardware devices enabled by the Qardio iOS and Android applications.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An attacker could obtain firmware files and reverse engineer their \\nintended use leading to loss of confidentiality and integrity of the \\nhardware devices enabled by the Qardio iOS and Android applications.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-552\", \"description\": \"CWE-552 Files or Directories Accessible to External Parties\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2025-02-13T21:50:44.082Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-23421\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-14T15:46:37.858Z\", \"dateReserved\": \"2025-02-10T15:16:25.237Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2025-02-13T21:50:44.082Z\", \"assignerShortName\": \"icscert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.