Qardio Heart Health IOS and Android Application and QardioARM A100

Monitor7.1ICS-CERT ICSMA-25-044-01Feb 13, 2025

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

The Qardio Heart Health mobile applications (iOS 2.7.4, Android 2.5.1) and QardioARM A100 blood pressure monitor contain vulnerabilities (CWE-359, CWE-248, CWE-552) that could allow an attacker within Bluetooth range to obtain sensitive health information, access firmware files, or cause a denial-of-service condition. No authentication is required to exploit these vulnerabilities. Qardio has not responded to CISA requests for mitigation and has not released patches for any affected product.

What this means

What could happen

An attacker within Bluetooth range could obtain health data, firmware files, or cause the device to stop functioning. This could disrupt patient monitoring or allow extraction of sensitive medical information.

Who's at risk

Healthcare facilities, clinics, and individual patients using Qardio Heart Health mobile applications (iOS and Android) and QardioARM A100 blood pressure monitors. This affects any organization or individual relying on these devices for cardiac monitoring and vital sign collection.

How it could be exploited

An attacker must be within Bluetooth range of the device. They can send malicious Bluetooth packets or commands to the QardioARM A100 or paired mobile application without authentication to trigger the vulnerability and access sensitive data or cause a denial-of-service condition.

Prerequisites

Physical Bluetooth proximity to the device (typically 10-100 meters depending on Bluetooth version)
No valid user credentials required
Device must have Bluetooth enabled

No authentication required for exploitationLow attack complexityNo vendor patch availableAffects health/safety monitoringBluetooth proximity required (limits but does not prevent risk in medical facilities)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

Qardio Heart Health IOS Mobile Application: 2.7.42.7.4No fix (EOL)

Qardio Heart Health Android Mobile Application: 2.5.12.5.1No fix (EOL)

QardioARM A100: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDDisable Bluetooth on QardioARM A100 and mobile applications when not actively monitoring or transmitting data

HARDENINGDo not use QardioARM A100 in public spaces or areas where unauthorized individuals may be present within Bluetooth range

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor for vendor firmware updates and patches for QardioARM A100 and apply immediately when available

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Qardio Heart Health IOS Mobile Application: 2.7.4, Qardio Heart Health Android Mobile Application: 2.5.1, QardioARM A100: vers:all/*. Apply the following compensating controls:

HARDENINGOnly install Qardio Heart Health mobile applications from official app stores (Apple App Store, Google Play Store)

HARDENINGImplement network segmentation to isolate medical devices and associated mobile workstations from general IT networks

CVEs (3)

CVE-2025-24836 CVE-2025-23421 CVE-2025-20615

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a292b66d-5d8c-4be2-85f1-c14ab49c3f50