Dario Health USB-C Blood Glucose Monitoring System Starter Kit Android Application

MonitorCVSS 7.5ICS-CERT ICSMA-25-058-01Feb 27, 2025

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Dario Health USB-C Blood Glucose Monitoring System Android application and its backend server infrastructure contain multiple vulnerabilities including insecure data transmission (CWE-319), information exposure (CWE-359), cross-site scripting (CWE-79), and code injection flaws (CWE-117, CWE-921). These vulnerabilities could allow attackers to intercept sensitive patient data, steal authentication credentials, manipulate glucose readings, or compromise user sessions. The flaws affect all versions of the server infrastructure and Android app versions 5.8.7.0.36 and earlier.

What this means

What could happen

An attacker could intercept or manipulate blood glucose readings and patient data transmitted by the mobile app, or steal login credentials and session information, compromising patient privacy and potentially leading to incorrect treatment decisions if data is corrupted in transit or on the server.

Who's at risk

Healthcare organizations and individual patients using the Dario USB-C Blood Glucose Monitoring System with the Android mobile application. This includes clinics, hospitals, diabetes management programs, and home care patients who rely on the app to monitor glucose levels and manage insulin therapy. Particular concern for organizations managing Type 1 and Type 2 diabetes patients where data integrity is critical to treatment decisions.

How it could be exploited

An attacker on the same network (or intercepting traffic over public Wi-Fi) could eavesdrop on unencrypted communications between the Dario Android app and the company's servers, steal authentication tokens or credentials, or inject malicious code into the app through a compromised network path to manipulate glucose readings or patient account data.

Prerequisites

Network access to the same network segment as the device running the Dario Android app or ability to intercept internet traffic (e.g., via public Wi-Fi or compromised router)
No user authentication or special credentials required to intercept or manipulate traffic

Remotely exploitable over public networksNo authentication required to intercept trafficLow complexity attack (network eavesdropping)Affects patient health data and treatment decisionsVendor has stated no fix is planned for the server infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

USB-C Blood Glucose Monitoring System Starter Kit Android Applications: <=5.8.7.0.36≤ 5.8.7.0.36No fix (EOL)

Dario Application Database and Internet-based Server Infrastructure: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/4

HOTFIXUpdate the Dario Health Android application to the latest version available from the official Google Play Store

HARDENINGAdvise users to avoid using rooted or jailbroken Android devices to run the Dario application

WORKAROUNDInstruct users to avoid connecting the Dario application to public or untrusted Wi-Fi networks; use cellular data or known secure networks only

HARDENINGEnsure users download and install the Dario application only from official trusted sources (Google Play Store)

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: USB-C Blood Glucose Monitoring System Starter Kit Android Applications: <=5.8.7.0.36, Dario Application Database and Internet-based Server Infrastructure: vers:all/*. Apply the following compensating controls:

HARDENINGIf the Dario application is used in a clinical or hospital setting, isolate the network segment carrying Dario traffic from the main patient care network using a firewall or VLAN

CVEs (7)

CVE-2025-20060 CVE-2025-23405 CVE-2025-24843 CVE-2025-24849 CVE-2025-20049 CVE-2025-24318 CVE-2025-24316

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4afde8df-b371-462e-acd7-40fa615e5838

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.