Cyber Resilience

CVE-2025-24849

High

Published: 28 February 2025

Published
28 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.5 CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 7.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24849 is a high-severity Cleartext Transmission of Sensitive Information (CWE-319) vulnerability in Cisa (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 7.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-8 (Transmission Confidentiality and Integrity) and SC-13 (Cryptographic Protection).

Deeper analysis

CVE-2025-24849 is a vulnerability characterized by a lack of encryption in transit within cloud infrastructure, which facilitates the potential for sensitive data manipulation or exposure. This issue aligns with CWE-319 (Cleartext Transmission of Sensitive Information) and affects components referenced in CISA's ICS medical advisory ICSMA-25-058-01, linked to Dario Health. Published on 2025-02-28, it carries a CVSS v3.1 base score of 7.1 (AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H).

Exploitation requires an attacker with adjacent network access (AV:A), involving high attack complexity (AC:H), no privileges (PR:N), and user interaction (UI:R). Successful attacks can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U), enabling potential interception, manipulation, or exposure of sensitive data in transit.

The CISA advisory at https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-058-01 and Dario Health's contact page at https://www.dariohealth.com/contact/ provide further details on mitigations, likely including recommendations for securing transit encryption in the affected cloud infrastructure.

EU & UK References

Vulnerability details

Lack of encryption in transit for cloud infrastructure facilitating potential for sensitive data manipulation or exposure.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1040 Network Sniffing Credential Access
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.
T1565.002 Transmitted Data Manipulation Impact
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Lack of encryption in transit (CWE-319) directly enables network sniffing to expose sensitive data (T1040) and alteration of data en route (T1565.002) for manipulation, given adjacent network access and high integrity/confidentiality impacts.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23661Shared CWE-319
CVE-2025-13718Shared CWE-319
CVE-2024-36558Shared CWE-319
CVE-2025-70048Shared CWE-319
CVE-2024-44276Shared CWE-319
CVE-2025-69272Shared CWE-319
CVE-2024-42181Shared CWE-319
CVE-2026-30795Shared CWE-319
CVE-2026-30796Shared CWE-319
CVE-2025-67159Shared CWE-319

Affected Assets

Cisa
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates cryptographic mechanisms to protect confidentiality and integrity of sensitive data during transmission, addressing the lack of encryption in transit within cloud infrastructure.

prevent

Requires cryptographic protection for confidentiality and integrity of information, which applies to unencrypted transit paths vulnerable to exposure and manipulation.

prevent

Boundary protection enforces encrypted tunnels and controls network access, mitigating adjacent network (AV:A) interception or alteration of cleartext data in cloud infrastructure.

References