On February 27, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released ICS Medical Advisory ICSMA-25-058-01. The advisory detailed multiple cybersecurity vulnerabilities affecting the Dario Health USB-C Blood Glucose Monitoring System Starter Kit Android Application.
What happened
The CISA reported that the vulnerability impacted the Dario Health Android App, its application database, and its server’s infrastructure. The affected versions include Android application versions 5.8.7.0.36 and earlier, as well as all versions of the Dario application database and internet-based servers.
The most serious vulnerability (CVE-2025-20060) could expose users' protected health information (PHI) to unauthorized access, making it highly severe. CISA uses a 10-point scale to report severity, and stated this incident scored 8.7.
Other identified risks include:
- Log vulnerabilities (CVE-2025-23405) that could impact security monitoring
- Weak access controls (CVE-2025-24843) that may allow unauthorized data manipulation
- Unencrypted data transmission (CVE-2025-24849) that puts sensitive information at risk.
- A cross-site scripting (XSS) vulnerability (CVE-2025-20049) in the Dario Health portal could allow attackers to steal sensitive data.
- CVE-2025-24318 exposes session cookies, potentially leading to full account compromise.
If exploited, these vulnerabilities could allow attackers to steal data, manipulate information, or take control of user sessions.
According to the CISA press release, “Noah Cutler and Manuel Del Rio of Accenture reported these vulnerabilities to CISA…Dario Health recommends users update their Dario Health Android mobile application to the latest version. No other actions are required by users.”
In the know: What is the CVSS v4 severity score?
Unlike previous versions, Common Vulnerability Scoring System (CVSS) v4.0 is a more granular evaluation by incorporating additional metrics and refining existing ones. The severity score in CVSS v4.0 is not a single, static value but rather a combination of different scores that reflect various aspects of a vulnerability's impact and exploitability. It includes a base score, threat score, and environmental score.
The Base Score (CVSS-B) assesses the inherent characteristics of a vulnerability, including its exploitability and potential impact. The Threat Score (CVSS-BT) considers external factors like the likelihood of exploitation, while the Environmental Score (CVSS-BE) evaluates the vulnerability's impact within the organization's specific environment.
Why it matters
The presence of vulnerabilities like exposure of private personal information, cleartext transmission of sensitive information, and XSS violates these regulations and poses substantial risks to patient privacy and safety. A successful exploit could allow unauthorized access to patient data, manipulation of records, or compromise of user sessions, potentially leading to identity theft, fraud, or the exposure of highly sensitive health conditions.
The interconnected nature of healthcare systems means a breach in Dario Health's products could also serve as a stepping stone for attackers to target other connected devices or networks within the healthcare ecosystem in a way that amplifies damage.
Related: HIPAA Compliant Email: The Definitive Guide
FAQs
What is CISA's role in addressing cybersecurity vulnerabilities in healthcare?
The Cybersecurity and Infrastructure Security Agency (CISA) alerts healthcare organizations to potential cybersecurity threats and provides guidance on mitigating risks.
How do CVE vulnerabilities affect healthcare organizations?
CVE vulnerabilities can impact healthcare organizations by exposing sensitive patient data, disrupting services, and potentially leading to ransomware attacks or data breaches.
What steps should healthcare organizations take to mitigate CVE vulnerabilities?
- Implement asset management
- Use secure configurations
- Apply patches promptly
- Segment networks
- Use firewalls and VPNs
Kirsten Peremore
