CVE-2025-20060

High

Published: 28 February 2025

Published

28 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0017 38.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

An attacker could expose cross-user personal identifiable information (PII) and personal health information transmitted to the Android device via the Dario Health application database.

Security Summary

CVE-2025-20060 is a vulnerability in the Dario Health application on Android devices that enables an attacker to expose cross-user personal identifiable information (PII) and personal health information transmitted to and stored in the application's database. Published on 2025-02-28, it is associated with CWE-359 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact from remote exploitation with low complexity and no authentication or user interaction required.

Remote attackers require no privileges and can exploit the vulnerability over the network to read sensitive cross-user PII and personal health data from the Dario Health app database on affected Android devices, potentially compromising privacy for multiple users without impacting integrity or availability.

Mitigation guidance is available in the CISA ICS Medical Advisory ICSMA-25-058-01 at https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-058-01, with additional support via Dario Health at https://www.dariohealth.com/contact/.

Details

CWE(s): CWE-359

References

https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-058-01
ics-cert@hq.dhs.gov
https://www.dariohealth.com/contact/
ics-cert@hq.dhs.gov