CVE-2025-24836

Feb. 13, 2025, 10:15 p.m.

7.1
High

Description

With a specially crafted Python script, an attacker could send continuous startMeasurement commands over an unencrypted Bluetooth connection to the affected device. This would prevent the device from connecting to a clinician's app to take patient readings and ostensibly flood it with requests, resulting in a denial-of-service condition.

Product(s) Impacted

Product Versions
UNKNOWN

Weaknesses

CWE-248
Uncaught Exception
An exception is thrown from a function, but it is not caught.

References

https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-044-01
https://www.qardio.com/about-us/#contact

Tags

ics-cert@hq.dhs.gov
CWE-248
2025-02-13
CVE-2025-24836

CVSS Score

7.1 / 10

CVSS Data

  • Attack Vector: ADJACENT_NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
    • View Vector String

    CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H

Date

  • Published: Feb. 13, 2025, 10:15 p.m.
  • Last Modified: Feb. 13, 2025, 10:15 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

ics-cert@hq.dhs.gov

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.