Apollo Pharmacy Blood Glucose Monitoring System APG-01 BT

MonitorCVSS 6.5ICS-CERT ICSMA-26-169-01Jun 18, 2026

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Apollo Pharmacy APG-01 BT blood glucose monitoring system contains Bluetooth communication vulnerabilities (CWE-319: Cleartext Transmission, CWE-862: Missing Authorization) that allow an attacker to eavesdrop on health data and prevent legitimate device connections. The vendor has not coordinated with CISA and no patch has been released. Affected firmware version is 0x0110_v1.1.0.

What this means

What could happen

An attacker within Bluetooth range could intercept health data transmitted by the glucose monitor or prevent patients from connecting their devices, disrupting diabetes management monitoring.

Who's at risk

Healthcare organizations, clinics, and individual patients using the Apollo Pharmacy APG-01 BT blood glucose monitor for diabetes management. Any setting where patient glucose data is transmitted wirelessly is at risk of eavesdropping.

How it could be exploited

An attacker with Bluetooth proximity to the APG-01 BT device can sniff unencrypted communications or inject commands into the Bluetooth pairing process. No authentication is required if the device broadcasts in discoverable mode or uses weak pairing mechanisms.

Prerequisites

Bluetooth proximity to the APG-01 BT device (within ~10–100 meters depending on antenna/power)
No specialized credentials required; attack is unauthenticated
Standard Bluetooth sniffing tools (e.g., commodity Bluetooth adapters with Linux drivers)

remotely exploitableno authentication requiredlow complexityaffects patient health monitoringvendor non-responsive to coordination

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

Blood Glucose Monitoring System (Model No. APG-01 BT): 0x0110_v1.1.00x0110 v1.1.0No fix yet

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDDisable Bluetooth discovery mode on the APG-01 BT when not actively pairing to reduce attack surface

WORKAROUNDRestrict Bluetooth-enabled devices to pairing only with known and trusted patient or clinician devices, and clear old pairings regularly

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXContact Apollo Pharmacy directly to inquire about available security patches or firmware updates for the APG-01 BT

HARDENINGReview Bluetooth communications for signs of unauthorized access or connection attempts; isolate compromised devices from clinical workflows immediately

Long-term hardening

0/1

HARDENINGFollow CISA guidance on Bluetooth technology security practices for healthcare IoT deployments

CVEs (2)

CVE-2026-50034 CVE-2026-52866

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6fa7d283-b729-48ce-92f3-7f1f183f6244

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.