Denial of Service Vulnerability in Qardio's Medical Device via Unencrypted Bluetooth
CVE-2025-24836

6.1MEDIUM

Key Information:

Vendor: Qardio
Status: Heart Health iOS Mobile Application; Heart Health Android Mobile Application; Qardioarm
Vendor: CVE Published:; 13 February 2025

What is CVE-2025-24836?

A vulnerability exists in Qardio's medical device, where an attacker can exploit unencrypted Bluetooth connections by executing a specially crafted Python script. This allows the attacker to send continuous startMeasurement commands to the device, which disrupts its ability to connect with a clinician's application for patient readings. The result is a denial-of-service condition, flooding the device with requests and effectively rendering it inoperable during critical situations.

Affected Version(s)

Heart Health Android Mobile Application 2.5.1

Heart Health IOS Mobile Application 2.7.4

QardioARM All versions

References

https://www.cisa.gov/news-events/ics-medical-advisories/i...

https://www.qardio.com/about-us/#contact

CVSS V4

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Feb 13, 2025
Vulnerability Reserved
Feb 10, 2025

Credit

Bryan Riggins of Insulet Corporation reported these vulnerabilities to CISA.