CVE-2025-24849
Published: 28 February 2025
Summary
CVE-2025-24849 is a high-severity Cleartext Transmission of Sensitive Information (CWE-319) vulnerability in Cisa (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 7.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-8 (Transmission Confidentiality and Integrity) and SC-13 (Cryptographic Protection).
Deeper analysis
CVE-2025-24849 is a vulnerability characterized by a lack of encryption in transit within cloud infrastructure, which facilitates the potential for sensitive data manipulation or exposure. This issue aligns with CWE-319 (Cleartext Transmission of Sensitive Information) and affects components referenced in CISA's ICS medical advisory ICSMA-25-058-01, linked to Dario Health. Published on 2025-02-28, it carries a CVSS v3.1 base score of 7.1 (AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H).
Exploitation requires an attacker with adjacent network access (AV:A), involving high attack complexity (AC:H), no privileges (PR:N), and user interaction (UI:R). Successful attacks can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U), enabling potential interception, manipulation, or exposure of sensitive data in transit.
The CISA advisory at https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-058-01 and Dario Health's contact page at https://www.dariohealth.com/contact/ provide further details on mitigations, likely including recommendations for securing transit encryption in the affected cloud infrastructure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5938
Vulnerability details
Lack of encryption in transit for cloud infrastructure facilitating potential for sensitive data manipulation or exposure.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Lack of encryption in transit (CWE-319) directly enables network sniffing to expose sensitive data (T1040) and alteration of data en route (T1565.002) for manipulation, given adjacent network access and high integrity/confidentiality impacts.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates cryptographic mechanisms to protect confidentiality and integrity of sensitive data during transmission, addressing the lack of encryption in transit within cloud infrastructure.
Requires cryptographic protection for confidentiality and integrity of information, which applies to unencrypted transit paths vulnerable to exposure and manipulation.
Boundary protection enforces encrypted tunnels and controls network access, mitigating adjacent network (AV:A) interception or alteration of cleartext data in cloud infrastructure.