Cyber Posture

CVE-2025-24836

High

Published: 13 February 2025

Published
13 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
EPSS Score 0.0005 15.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24836 is a high-severity Uncaught Exception (CWE-248) vulnerability in Cisa (inferred from references). Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Service Exhaustion Flood (T1499.002); ranked at the 15.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-18 (Wireless Access) and SC-40 (Wireless Link Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Service Exhaustion Flood (T1499.002). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-5 Denial-of-service Protection good match
prevent

Directly protects the device from denial-of-service attacks by flooding with continuous startMeasurement commands over Bluetooth.

SC-40 Wireless Link Protection good match
prevent

Requires protection of confidentiality and integrity for wireless links like unencrypted Bluetooth to block unauthorized command injection.

AC-18 Wireless Access good match
prevent

Establishes controls for wireless access including authorization and encryption to prevent exploitation via adjacent Bluetooth connections.

MITRE ATT&CK Enterprise TechniquesAI

T1499.002 Service Exhaustion Flood Impact
Adversaries may target the different network services provided by systems to conduct a denial of service (DoS).
attack.mitre.org →
Why these techniques?

The vulnerability enables flooding a specific service on the device with continuous crafted commands over Bluetooth, directly facilitating T1499.002 Service Exhaustion Flood to induce denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

With a specially crafted Python script, an attacker could send continuous startMeasurement commands over an unencrypted Bluetooth connection to the affected device. This would prevent the device from connecting to a clinician's app to take patient readings and ostensibly flood…

more

it with requests, resulting in a denial-of-service condition.

Deeper analysisAI

CVE-2025-24836 is a denial-of-service vulnerability affecting a medical device that connects to a clinician's app via Bluetooth for patient readings. An attacker can use a specially crafted Python script to send continuous "startMeasurement" commands over the device's unencrypted Bluetooth connection. This floods the device with requests, preventing it from functioning properly. The vulnerability is rated 7.1 on the CVSS v3.1 scale (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H) and is associated with CWE-248.

An attacker within adjacent Bluetooth range can exploit this vulnerability without privileges or user interaction. By continuously sending the crafted commands, they induce a denial-of-service condition that blocks the device from connecting to the clinician's app, disrupting patient readings.

The CISA ICS Medical Advisory ICSMA-25-044-01 provides details on mitigation at https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-044-01. Vendor contact information from Qardio is available at https://www.qardio.com/about-us/#contact.

Details

CWE(s)
CWE-248

Affected Products

Cisa
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-34752Shared CWE-248
CVE-2026-24175Shared CWE-248
CVE-2025-20176Shared CWE-248
CVE-2026-1507Shared CWE-248
CVE-2026-32314Shared CWE-248
CVE-2025-59466Shared CWE-248
CVE-2026-34986Shared CWE-248
CVE-2025-20173Shared CWE-248
CVE-2026-32770Shared CWE-248
CVE-2026-31870Shared CWE-248

References