Cyber Posture

CVE-2025-24836

High

Published: 13 February 2025

Published
13 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
EPSS Score 0.0005 15.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may target the different network services provided by systems to conduct a denial of service (DoS).

Security Summary

CVE-2025-24836 is a denial-of-service vulnerability affecting a medical device that connects to a clinician's app via Bluetooth for patient readings. An attacker can use a specially crafted Python script to send continuous "startMeasurement" commands over the device's unencrypted Bluetooth connection. This floods the device with requests, preventing it from functioning properly. The vulnerability is rated 7.1 on the CVSS v3.1 scale (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H) and is associated with CWE-248.

An attacker within adjacent Bluetooth range can exploit this vulnerability without privileges or user interaction. By continuously sending the crafted commands, they induce a denial-of-service condition that blocks the device from connecting to the clinician's app, disrupting patient readings.

The CISA ICS Medical Advisory ICSMA-25-044-01 provides details on mitigation at https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-044-01. Vendor contact information from Qardio is available at https://www.qardio.com/about-us/#contact.

Details

CWE(s)
CWE-248

MITRE ATT&CK Enterprise Techniques

T1499.002 Service Exhaustion Flood Impact
Adversaries may target the different network services provided by systems to conduct a denial of service (DoS).
attack.mitre.org →
Why these techniques?

The vulnerability enables flooding a specific service on the device with continuous crafted commands over Bluetooth, directly facilitating T1499.002 Service Exhaustion Flood to induce denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References