Multiple vulnerabilities in Dario Health USB-C Blood Glucose Monitoring System Starter Kit Android Application
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2025-20060 CVE-2025-23405 CVE-2025-24843 CVE-2025-24849 CVE-2025-20049 CVE-2025-24318 CVE-2025-24316 |
| CWE-ID | CWE-200 CWE-117 CWE-921 CWE-319 CWE-79 CWE-1004 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
USB-C Blood Glucose Monitoring System Starter Kit Android Applications Mobile applications / Apps for mobile phones Dario Application Database and Internet-based Server Infrastructure Other software / Other software solutions |
| Vendor | DarioHealth Corp |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU105339
Risk: High
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-20060
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker can expose cross-user Personal Identifiable Information (PII) and personal health information transmitted to the Android device via the Dario Health application database.
MitigationInstall updates from vendor's website.
Vulnerable software versionsUSB-C Blood Glucose Monitoring System Starter Kit Android Applications: 5.8.7.0.36
Dario Application Database and Internet-based Server Infrastructure: All versions
CPE2.3- cpe:2.3:a:dariohealth_corp:usb-c_blood_glucose_monitoring_system_starter_kit_android_applications:*:*:*:*:*:*:*:*
- cpe:2.3:a:dariohealth_corp:usb-c_blood_glucose_monitoring_system_starter_kit_android_applications:5.8.7.0.36:*:*:*:*:*:*:*
- cpe:2.3:a:dariohealth_corp:dario_application_database_and_internet-based_server_infrastructure:*:*:*:*:*:*:*:*
http://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-058-01
http://www.dariohealth.com/contact/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Output Neutralization for Logs
EUVDB-ID: #VU105341
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-23405
CWE-ID:
CWE-117 - Improper Output Neutralization for Logs
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient neutralization of special characters when writing to logs. A remote attacker can inject malicious content into log files on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsUSB-C Blood Glucose Monitoring System Starter Kit Android Applications: 5.8.7.0.36
Dario Application Database and Internet-based Server Infrastructure: All versions
CPE2.3- cpe:2.3:a:dariohealth_corp:usb-c_blood_glucose_monitoring_system_starter_kit_android_applications:*:*:*:*:*:*:*:*
- cpe:2.3:a:dariohealth_corp:usb-c_blood_glucose_monitoring_system_starter_kit_android_applications:5.8.7.0.36:*:*:*:*:*:*:*
- cpe:2.3:a:dariohealth_corp:dario_application_database_and_internet-based_server_infrastructure:*:*:*:*:*:*:*:*
http://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-058-01
http://www.dariohealth.com/contact/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Storage of Sensitive Data in a Mechanism without Access Control
EUVDB-ID: #VU105342
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-24843
CWE-ID:
CWE-921 - Storage of Sensitive Data in a Mechanism without Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to insecure file retrieval process that facilitates potential for file manipulation. A local attacker can affect product stability and confidentiality, integrity, authenticity, and attestation of stored data.
MitigationInstall updates from vendor's website.
Vulnerable software versionsUSB-C Blood Glucose Monitoring System Starter Kit Android Applications: 5.8.7.0.36
Dario Application Database and Internet-based Server Infrastructure: All versions
CPE2.3- cpe:2.3:a:dariohealth_corp:usb-c_blood_glucose_monitoring_system_starter_kit_android_applications:*:*:*:*:*:*:*:*
- cpe:2.3:a:dariohealth_corp:usb-c_blood_glucose_monitoring_system_starter_kit_android_applications:5.8.7.0.36:*:*:*:*:*:*:*
- cpe:2.3:a:dariohealth_corp:dario_application_database_and_internet-based_server_infrastructure:*:*:*:*:*:*:*:*
http://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-058-01
http://www.dariohealth.com/contact/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Cleartext transmission of sensitive information
EUVDB-ID: #VU105344
Risk: Medium
CVSSv4.0: 4.8 [CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-24849
CWE-ID:
CWE-319 - Cleartext Transmission of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to software uses insecure communication channel to transmit sensitive information. A remote attacker with ability to intercept network traffic can gain access or manipulate sensitive data.
MitigationInstall updates from vendor's website.
Vulnerable software versionsUSB-C Blood Glucose Monitoring System Starter Kit Android Applications: 5.8.7.0.36
Dario Application Database and Internet-based Server Infrastructure: All versions
CPE2.3- cpe:2.3:a:dariohealth_corp:usb-c_blood_glucose_monitoring_system_starter_kit_android_applications:*:*:*:*:*:*:*:*
- cpe:2.3:a:dariohealth_corp:usb-c_blood_glucose_monitoring_system_starter_kit_android_applications:5.8.7.0.36:*:*:*:*:*:*:*
- cpe:2.3:a:dariohealth_corp:dario_application_database_and_internet-based_server_infrastructure:*:*:*:*:*:*:*:*
http://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-058-01
http://www.dariohealth.com/contact/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Cross-site scripting
EUVDB-ID: #VU105345
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-20049
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsUSB-C Blood Glucose Monitoring System Starter Kit Android Applications: 5.8.7.0.36
Dario Application Database and Internet-based Server Infrastructure: All versions
CPE2.3- cpe:2.3:a:dariohealth_corp:usb-c_blood_glucose_monitoring_system_starter_kit_android_applications:*:*:*:*:*:*:*:*
- cpe:2.3:a:dariohealth_corp:usb-c_blood_glucose_monitoring_system_starter_kit_android_applications:5.8.7.0.36:*:*:*:*:*:*:*
- cpe:2.3:a:dariohealth_corp:dario_application_database_and_internet-based_server_infrastructure:*:*:*:*:*:*:*:*
http://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-058-01
http://www.dariohealth.com/contact/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Sensitive Cookie Without 'HttpOnly' Flag
EUVDB-ID: #VU105346
Risk: Medium
CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-24318
CWE-ID:
CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to cookie policy is observable via built-in browser tools. A remote attacker can gain unauthorized access to user session data.
MitigationInstall updates from vendor's website.
Vulnerable software versionsUSB-C Blood Glucose Monitoring System Starter Kit Android Applications: 5.8.7.0.36
Dario Application Database and Internet-based Server Infrastructure: All versions
CPE2.3- cpe:2.3:a:dariohealth_corp:usb-c_blood_glucose_monitoring_system_starter_kit_android_applications:*:*:*:*:*:*:*:*
- cpe:2.3:a:dariohealth_corp:usb-c_blood_glucose_monitoring_system_starter_kit_android_applications:5.8.7.0.36:*:*:*:*:*:*:*
- cpe:2.3:a:dariohealth_corp:dario_application_database_and_internet-based_server_infrastructure:*:*:*:*:*:*:*:*
http://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-058-01
http://www.dariohealth.com/contact/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Information disclosure
EUVDB-ID: #VU105347
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-24316
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to exposure of development environment details in the Dario Health Internet-based server infrastructure. A remote attacker can gain unauthorized access to sensitive information on the system, leading to unsafe functionality.
MitigationInstall updates from vendor's website.
Vulnerable software versionsUSB-C Blood Glucose Monitoring System Starter Kit Android Applications: 5.8.7.0.36
Dario Application Database and Internet-based Server Infrastructure: All versions
CPE2.3- cpe:2.3:a:dariohealth_corp:usb-c_blood_glucose_monitoring_system_starter_kit_android_applications:*:*:*:*:*:*:*:*
- cpe:2.3:a:dariohealth_corp:usb-c_blood_glucose_monitoring_system_starter_kit_android_applications:5.8.7.0.36:*:*:*:*:*:*:*
- cpe:2.3:a:dariohealth_corp:dario_application_database_and_internet-based_server_infrastructure:*:*:*:*:*:*:*:*
http://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-058-01
http://www.dariohealth.com/contact/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
