Dario Health USB-C Blood Glucose Monitoring System Starter Kit Android Application

Monitor7.5ICS-CERT ICSMA-25-058-01Feb 27, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Dario USB-C Blood Glucose Monitoring System Android application (versions 5.8.7.0.36 and earlier) and all versions of the backend server infrastructure contain multiple vulnerabilities including information disclosure (CWE-359, CWE-213), code injection (CWE-921), improper neutralization of input (CWE-79, CWE-1004), cleartext transmission of sensitive data (CWE-319), and improper logging (CWE-117). Successful exploitation could expose user health data, allow session hijacking, enable manipulation of glucose readings or user account data, or inject malicious code into the application. The backend server infrastructure has no available fix across all versions.

What this means

What could happen

An attacker could expose sensitive health data from the Android application, manipulate glucose readings or user account information, or inject malicious code into the app, potentially compromising patient privacy and data integrity.

Who's at risk

This affects patients, healthcare providers, and medical facilities using the Dario USB-C Blood Glucose Monitoring System, including diabetes clinics, endocrinology practices, home care patients, and health systems managing remote patient monitoring programs. The vulnerability impacts both Android mobile application users and the cloud-based backend infrastructure.

How it could be exploited

An attacker with network access could exploit information disclosure, code injection, or cross-site scripting vulnerabilities in the Android app to access user sessions, health data, or backend server information. This could occur through compromised app updates, man-in-the-middle attacks on unencrypted communications, or direct server-side attacks.

Prerequisites

Network reachability to the Android application or backend server
User running a vulnerable version of the Dario app (5.8.7.0.36 or earlier)
No authentication required for some vulnerabilities
Device connected to internet

remotely exploitableno authentication requiredlow complexityhealth data exposureaffects patient privacybackend server infrastructure vulnerable across all versionsvendor fix limited to application only

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

USB-C Blood Glucose Monitoring System Starter Kit Android Applications: <=5.8.7.0.36≤ 5.8.7.0.36No fix (EOL)

Dario Application Database and Internet-based Server Infrastructure: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HOTFIXUpdate the Dario Health Android application to the latest version from a trusted source (Google Play Store)

HARDENINGDo not use rooted or jailbroken Android devices for running the Dario application

WORKAROUNDAvoid connecting to public untrusted Wi-Fi networks when using the Dario application

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: USB-C Blood Glucose Monitoring System Starter Kit Android Applications: <=5.8.7.0.36, Dario Application Database and Internet-based Server Infrastructure: vers:all/*. Apply the following compensating controls:

HARDENINGIsolate patient monitoring networks from internet-facing networks using firewalls

HARDENINGImplement network segmentation to prevent direct internet access to mobile health devices and backend servers

CVEs (7)

CVE-2025-20060 CVE-2025-23405 CVE-2025-24843 CVE-2025-24849 CVE-2025-20049 CVE-2025-24318 CVE-2025-24316

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4afde8df-b371-462e-acd7-40fa615e5838