ZOLL ePCR IOS Mobile Application

MonitorCVSS 5.5ICS-CERT ICSMA-26-041-01Feb 10, 2026

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

A vulnerability in ZOLL ePCR IOS Mobile Application version 2.6.7 allows unauthorized access to protected health information and device telemetry. The flaw arises from insufficient protection of sensitive data stored locally on the device (CWE-538: Information Exposure Through Query Strings in GET Request). An attacker with physical access to a device could extract patient records and operational data without authentication. ZOLL decommissioned the ePCR IOS application in May 2025 and has no plans for a replacement. Users should contact ZOLL Support for migration guidance.

What this means

What could happen

An attacker with physical access to a mobile device running the ePCR application could extract protected health information (patient records, medical data) or device telemetry without authentication. This could expose sensitive patient data and operational information about emergency response activities.

Who's at risk

Emergency Medical Services (EMS) organizations, paramedics, and ambulance services using ZOLL ePCR for patient care documentation. Any organization relying on this application for electronic patient care record capture and management should prioritize migration.

How it could be exploited

An attacker gains physical access to an unlocked or insufficiently protected iOS device running ePCR 2.6.7. The vulnerability allows the attacker to read sensitive files or data stored locally on the device, bypassing the application's access controls to extract protected health information or telemetry data stored in plaintext or with weak protection.

Prerequisites

Physical access to an iOS device running ePCR application version 2.6.7
Device must be unlocked or have insufficient device-level security controls
Application data must be present on the device

No patch available—product decommissionedAffects protected health information (PHI)Physical access exploitation—lower barrier than remote but still significant in mobile device loss scenariosNo authentication required for local data access

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

ePCR IOS Mobile Application: 2.6.72.6.7No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HOTFIXImmediately discontinue use of ePCR IOS application version 2.6.7 and migrate to an alternative patient care reporting application supported by ZOLL or another vendor

HARDENINGContact ZOLL Support to identify approved replacement applications for patient care record management

WORKAROUNDEnsure all iOS devices previously running ePCR have the application uninstalled and all associated cached data securely wiped

Mitigations - no patch available

0/1

ePCR IOS Mobile Application: 2.6.7 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGEnforce device-level security controls on all mobile devices carrying patient data, including strong passcodes, auto-lock, and encryption requirements

CVEs (1)

CVE-2025-12699

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/70dbd834-e2eb-410e-a48a-9e9ce1c3710a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.