CVE-2025-20615 MEDIUM

CVE-2025-20615: Qardio Heart Health IOS Mobile Application Exposure of Private Personal Information to an Unauthorized Actor

Vendor Qardio
Product Heart Health IOS Mobile Application
Weakness CWE-359
Published February 13, 2025
Last update February 14, 2025

CVSS base score

6.2/10
Attack vector Physical
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

The Qardio Arm iOS application exposes sensitive data such as usernames and passwords in a plist file. This allows an attacker to log in to production-level development accounts and access an engineering backdoor in the application. The engineering backdoor allows the attacker to send hex-based commands over a UI-based terminal.

Key dates

02Disclosure timeline

February 13, 2025 CVE published
February 14, 2025 Record updated