On February 27, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released ICS Medical Advisory ICSMA-25-058-01. The advisory detailed multiple cybersecurity vulnerabilities affecting the Dario Health USB-C Blood Glucose Monitoring System Starter Kit Android Application.
The CISA reported that the vulnerability impacted the Dario Health Android App, its application database, and its server’s infrastructure. The affected versions include Android application versions 5.8.7.0.36 and earlier, as well as all versions of the Dario application database and internet-based servers.
The most serious vulnerability (CVE-2025-20060) could expose users' protected health information (PHI) to unauthorized access, making it highly severe. CISA uses a 10-point scale to report severity, and stated this incident scored 8.7.
Other identified risks include:
If exploited, these vulnerabilities could allow attackers to steal data, manipulate information, or take control of user sessions.
According to the CISA press release, “Noah Cutler and Manuel Del Rio of Accenture reported these vulnerabilities to CISA…Dario Health recommends users update their Dario Health Android mobile application to the latest version. No other actions are required by users.”
Unlike previous versions, Common Vulnerability Scoring System (CVSS) v4.0 is a more granular evaluation by incorporating additional metrics and refining existing ones. The severity score in CVSS v4.0 is not a single, static value but rather a combination of different scores that reflect various aspects of a vulnerability's impact and exploitability. It includes a base score, threat score, and environmental score.
The Base Score (CVSS-B) assesses the inherent characteristics of a vulnerability, including its exploitability and potential impact. The Threat Score (CVSS-BT) considers external factors like the likelihood of exploitation, while the Environmental Score (CVSS-BE) evaluates the vulnerability's impact within the organization's specific environment.
The presence of vulnerabilities like exposure of private personal information, cleartext transmission of sensitive information, and XSS violates these regulations and poses substantial risks to patient privacy and safety. A successful exploit could allow unauthorized access to patient data, manipulation of records, or compromise of user sessions, potentially leading to identity theft, fraud, or the exposure of highly sensitive health conditions.
The interconnected nature of healthcare systems means a breach in Dario Health's products could also serve as a stepping stone for attackers to target other connected devices or networks within the healthcare ecosystem in a way that amplifies damage.
Related: HIPAA Compliant Email: The Definitive Guide
The Cybersecurity and Infrastructure Security Agency (CISA) alerts healthcare organizations to potential cybersecurity threats and provides guidance on mitigating risks.
CVE vulnerabilities can impact healthcare organizations by exposing sensitive patient data, disrupting services, and potentially leading to ransomware attacks or data breaches.