Sensitive Data Exposure in Qardio Arm iOS Application
CVE-2025-20615

6.6MEDIUM

Key Information:

Vendor: Qardio
Status: Heart Health iOS Mobile Application
Vendor: CVE Published:; 13 February 2025

What is CVE-2025-20615?

The Qardio Arm iOS application has a security flaw that exposes sensitive user data, including usernames and passwords, in a plist file. This vulnerability enables attackers to gain unauthorized access to production-level development accounts, potentially compromising user data and application integrity. By exploiting an engineering backdoor within the application, an attacker can issue hex-based commands through a terminal interface, thereby escalating their control over the application and its environment.

Affected Version(s)

Heart Health IOS Mobile Application 2.7.4

References

https://www.cisa.gov/news-events/ics-medical-advisories/i...

https://www.qardio.com/about-us/#contact

CVSS V3.1

Score:

6.6

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Physical

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 13, 2025
Vulnerability Reserved
Feb 10, 2025

Credit

Bryan Riggins of Insulet Corporation reported these vulnerabilities to CISA.