CVE-2025-23421

An attacker could obtain firmware files and reverse engineer their intended use leading to loss of confidentiality and integrity of the hardware devices enabled by the Qardio iOS and Android applications.

CVSS v3 6.4 MEDIUM

6.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 5.5

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-044-01
https://www.qardio.com/about-us/#contact

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Un atacante podría obtener archivos de firmware y realizar ingeniería inversa para su uso previsto, lo que provocaría la pérdida de confidencialidad e integridad de los dispositivos de hardware habilitados por las aplicaciones Qardio para iOS y Android.

13 Feb 2025, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-13 22:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-23421

Mitre link : CVE-2025-23421

CVE.ORG link : CVE-2025-23421

JSON object : View

Products Affected

No product.

CWE

CWE-552

Files or Directories Accessible to External Parties

{"id": "CVE-2025-23421", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.5, "exploitabilityScore": 0.9}], "cvssMetricV40": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-02-13T22:15:12.073", "references": [{"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-044-01", "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.qardio.com/about-us/#contact", "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-552"}]}], "descriptions": [{"lang": "en", "value": "An attacker could obtain firmware files and reverse engineer their \nintended use leading to loss of confidentiality and integrity of the \nhardware devices enabled by the Qardio iOS and Android applications."}, {"lang": "es", "value": "Un atacante podr\u00eda obtener archivos de firmware y realizar ingenier\u00eda inversa para su uso previsto, lo que provocar\u00eda la p\u00e9rdida de confidencialidad e integridad de los dispositivos de hardware habilitados por las aplicaciones Qardio para iOS y Android."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "ics-cert@hq.dhs.gov"}