Cyber Resilience

CVE-2025-24836

Medium

Published: 13 February 2025

Published
13 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 6.1 CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0016 36.4th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24836 is a medium-severity Uncaught Exception (CWE-248) vulnerability in Cisa (inferred from references). Its CVSS base score is 6.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Service Exhaustion Flood (T1499.002); ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-18 (Wireless Access) and SC-40 (Wireless Link Protection).

Deeper analysis

CVE-2025-24836 is a denial-of-service vulnerability affecting a medical device that connects to a clinician's app via Bluetooth for patient readings. An attacker can use a specially crafted Python script to send continuous "startMeasurement" commands over the device's unencrypted Bluetooth connection. This floods the device with requests, preventing it from functioning properly. The vulnerability is rated 7.1 on the CVSS v3.1 scale (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H) and is associated with CWE-248.

An attacker within adjacent Bluetooth range can exploit this vulnerability without privileges or user interaction. By continuously sending the crafted commands, they induce a denial-of-service condition that blocks the device from connecting to the clinician's app, disrupting patient readings.

The CISA ICS Medical Advisory ICSMA-25-044-01 provides details on mitigation at https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-044-01. Vendor contact information from Qardio is available at https://www.qardio.com/about-us/#contact.

EU & UK References

Vulnerability details

With a specially crafted Python script, an attacker could send continuous startMeasurement commands over an unencrypted Bluetooth connection to the affected device. This would prevent the device from connecting to a clinician's app to take patient readings and ostensibly flood…

more

it with requests, resulting in a denial-of-service condition.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.002 Service Exhaustion Flood Impact
Adversaries may target the different network services provided by systems to conduct a denial of service (DoS).
Why these techniques?

The vulnerability enables flooding a specific service on the device with continuous crafted commands over Bluetooth, directly facilitating T1499.002 Service Exhaustion Flood to induce denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34986Shared CWE-248
CVE-2025-20172Shared CWE-248
CVE-2025-59466Shared CWE-248
CVE-2026-9509Shared CWE-248
CVE-2026-1507Shared CWE-248
CVE-2026-44001Shared CWE-248
CVE-2026-44905Shared CWE-248
CVE-2026-37554Shared CWE-248
CVE-2025-20173Shared CWE-248
CVE-2026-43988Shared CWE-248

Affected Assets

Cisa
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly protects the device from denial-of-service attacks by flooding with continuous startMeasurement commands over Bluetooth.

prevent

Requires protection of confidentiality and integrity for wireless links like unencrypted Bluetooth to block unauthorized command injection.

prevent

Establishes controls for wireless access including authorization and encryption to prevent exploitation via adjacent Bluetooth connections.

References