Dario Health USB-C Blood Glucose Monitoring System Vulnerabilities Report

1. EXECUTIVE SUMMARY
- CVSS v4 Score: 8.7
- ATTENTION: Vulnerabilities are exploitable remotely with low attack complexity.
- Vendor: Dario Health
- Equipment: USB-C Blood Glucose Monitoring System Starter Kit Android Application, Application Database, and Internet-based Server Infrastructure
- Vulnerabilities Identified:
- Exposure of Private Personal Information to an Unauthorized Actor
- Improper Output Neutralization for Logs
- Storage of Sensitive Data in a Mechanism Without Access Control
- Cleartext Transmission of Sensitive Information
- Cross-site Scripting (XSS)
- Sensitive Cookie Without ‘HttpOnly’ Flag
- Exposure of Sensitive Information Due to Incompatible Policies
2. RISK EVALUATION
The successful exploitation of these vulnerabilities could enable an attacker to expose sensitive information, inject malicious code, manipulate data, or achieve cross-site scripting (XSS), potentially leading to full session compromise.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Dario Health products are affected:
- USB-C Blood Glucose Monitoring System Starter Kit Android Applications: Versions 5.8.7.0.36 and prior
- Dario Application Database and Internet-based Server Infrastructure: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 Exposure of Private Personal Information to an Unauthorized Actor (CWE-359)
An attacker could expose cross-user Personal Identifiable Information (PII) and personal health information transmitted to the Android device via the Dario Health application database.
CVE-2025-20060 has been assigned to this vulnerability, with a CVSS v3.1 base score of 7.5 and a CVSS v4 score of 8.7.
3.2.2 Improper Output Neutralization for Logs (CWE-117)
Unauthenticated log effects metrics gathering incident response efforts and potentially exposes risk of injection attacks.
CVE-2025-23405 has been assigned to this vulnerability, with a CVSS v3.1 base score of 5.3 and a CVSS v4 score of 6.9.
3.2.3 Storage of Sensitive Data in a Mechanism Without Access Control (CWE-921)
An insecure file retrieval process facilitates potential file manipulation, affecting product stability and confidentiality.
CVE-2025-24843 has been assigned to this vulnerability, with a CVSS v3.1 base score of 5.1 and a CVSS v4 score of 5.1.
3.2.4 Cleartext Transmission of Sensitive Information (CWE-319)
Lack of encryption in transit for cloud infrastructure facilitates potential for sensitive data manipulation or exposure.
CVE-2025-24849 has been assigned to this vulnerability, with a CVSS v3.1 base score of 7.1 and a CVSS v4 score of 7.5.
3.2.5 Cross-site Scripting (XSS) (CWE-79)
The Dario Health portal service application is vulnerable to XSS, which could allow an attacker to obtain sensitive information.
CVE-2025-20049 has been assigned to this vulnerability, with a CVSS v3.1 base score of 5.8 and a CVSS v4 score of 7.1.
3.2.6 Sensitive Cookie Without ‘HttpOnly’ Flag (CWE-1004)
Cookie policy is observable via built-in browser tools, which could lead to full session compromise in the presence of XSS.
CVE-2025-24318 has been assigned to this vulnerability, with a CVSS v3.1 base score of 6.8 and a CVSS v4 score of 5.9.
3.2.7 Exposure of Sensitive Information Due to Incompatible Policies (CWE-213)
The Dario Health Internet-based server infrastructure is vulnerable due to exposure of development environment details, which could lead to unsafe functionality.
CVE-2025-24316 has been assigned to this vulnerability, with a CV




