Vulnerabilities Found in Blood Glucose Monitoring Android App of Dario Health

March 9, 2025HIPAA News0

Dario Health found seven vulnerabilities in its Android app and web-based server infrastructure. An attacker could exploit the vulnerability and access private personal data, manipulate information, add code, or do cross-site scripting, causing a full session breach. The CVSS v3.1 base scores of the identified vulnerabilities range from 5.1 to 7.5, while the CVSS v4 base scores range from 5.1 to 8.7. Attackers can exploit the vulnerabilities remotely with low attack difficulty.

The list of Dario Health Products below are affected by the vulnerabilities:

All versions of Application Database and Web-based Server Infrastructure
All versions of USB-C Blood Glucose Monitoring System Starter Kit Android Application prior to 5.8.7.0.36

Manuel Del Rio and Noah Cutler of Accenture identified the vulnerabilities and submitted a report to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about them. The vulnerabilities are already resolved, but users must install the newest version of the mobile app, making sure the update is acquired from a trusted source. A warning issued by Dario Health tells users not to utilize the application on rooted or jailbroken devices and not to use untrusted sites.

The List of Vulnerabilities Identified that HIPAA-covered entities need to be aware of:

Vulnerability CVE-2025-20060 allows the exposure of private personal data. When exploited, an attacker can leak cross-user personal health information (PHI) and personally identifiable information (PII), sent to the Android device through the Dario Health app database. (CVSS v3.1 base score of 7.5 | CVSS v4 base score of 8.7)

Vulnerability CVE-2025-23405 allows inappropriate output neutralization. Unauthenticated log impacts metrics collecting incident response attempts, which results in a risk of injection attacks. (CVSS v3.1 base score of 5.3 | CVSS v4 base score of 6.9)

Vulnerability CVE-2025-24843 allows insecure storage of sensitive information. With an insecure file retrieval process, hackers can execute file manipulation, which can impact product security and the integrity, confidentiality, attestation, and authenticity of stored information. (CVSS v3.1 base score of 5.1 | CVSS v4 base score of 5.1).

Vulnerability CVE-2025-24849 allows cleartext transmission of sensitive information. Data is transferred in cleartext to cloud infrastructure, risking the leakage and manipulation of sensitive information. (CVSS 3.1: 7.1 | CVSS 4: 7.5).

Vulnerability CVE-2025-20049 allows inappropriate neutralization of input while in generating a web page. The Dario Health website service app is prone to cross-site scripting, possibly enabling an attacker to view sensitive information. (CVSS v3.1 base score of 5.8 | CVSS v4 base score of 7.1)

Vulnerability CVE-2025-24318 allows observation of cookie policy. Pre-installed browser tools could be used to read the cookie policy, and with cross-site scripting, a full session breach is possible. (CVSS v3.1 base score of 6.8 | CVSS v4 base score of 5.9).

Vulnerability CVE-2025-24316 allows the exposure of sensitive information. The web-based server infrastructure is somewhat insecure because of the breach of development environment information, which can prompt unsafe operation. (CVSS v3.1 base score of 5.3 | CVSS v4 base score of 6.9)

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2025 ComplianceHome. All rights reserved.