Denial of Service Vulnerability in Qardio's Medical Device via Unencrypted Bluetooth
CVE-2025-24836

6.1MEDIUM

Key Information:

Vendor

Qardio

Status
Heart Health iOS Mobile Application
Heart Health Android Mobile Application
Qardioarm
Vendor
CVE Published:
13 February 2025

What is CVE-2025-24836?

A vulnerability exists in Qardio's medical device, where an attacker can exploit unencrypted Bluetooth connections by executing a specially crafted Python script. This allows the attacker to send continuous startMeasurement commands to the device, which disrupts its ability to connect with a clinician's application for patient readings. The result is a denial-of-service condition, flooding the device with requests and effectively rendering it inoperable during critical situations.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Heart Health Android Mobile Application 2.5.1

Heart Health IOS Mobile Application 2.7.4

QardioARM All versions

References

https://www.cisa.gov/news-events/ics-medical-advisories/i...
https://www.qardio.com/about-us/#contact

CVSS V4

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Bryan Riggins of Insulet Corporation reported these vulnerabilities to CISA.
JSON
.