Ossur Mobile Logic Application

MonitorCVSS 4.4ICS-CERT ICSMA-24-354-01Dec 19, 2024

Attack path

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Logic Mobile Application versions prior to 1.5.5 contain vulnerabilities that expose sensitive information and credentials stored insecurely on the mobile device (CWE-497, CWE-798) and allow command injection through certain input fields (CWE-77). These vulnerabilities are not remotely exploitable and require physical access to an unlocked or compromised mobile device. Successful exploitation could allow an attacker to access patient data, device configuration, or stored credentials.

What this means

What could happen

An attacker with physical access to a device running the vulnerable mobile application could extract sensitive information such as credentials or prosthetic device configuration data, potentially compromising device security or patient privacy.

Who's at risk

Patients, clinicians, and prosthetic device users who use Ossur Logic Mobile Application to configure or monitor lower-limb prosthetics. Mobile device administrators in healthcare facilities or clinics managing prosthetic patient care should ensure all installations are updated.

How it could be exploited

An attacker with physical possession of a mobile device running Logic Mobile Application versions prior to 1.5.5 could access the device's local storage or memory to retrieve exposed credentials (CWE-798) or sensitive information (CWE-497). This requires no network connection and no user interaction beyond device access.

Prerequisites

Physical access to a mobile device running Logic Mobile Application version <1.5.5
Device must be unlocked or vulnerable to device-level exploitation

Local access only (no remote attack)high privileges required (device-level access)sensitive data exposure (credentials, device configuration)low exploit complexity

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Logic Mobile Application: <1.5.5<1.5.51.5.5+

Remediation & Mitigation

0/2

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Logic Mobile Application to version 1.5.5 or later via the app store

Long-term hardening

0/1

HARDENINGEducate users to avoid clicking links or opening attachments in unsolicited emails that could lead to installation of compromised versions

CVEs (3)

CVE-2024-53683 CVE-2024-54681 CVE-2024-45832

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/68d53dc1-703f-46ce-9166-0eb49d522053

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.