Vulnerabilities Identified in Dario Health’s Blood Glucose Monitoring Android App
Seven vulnerabilities have been identified in Dario Health’s Android app and Internet-based server infrastructure. If exploited, an attacker could access private personal information, manipulate data, inject code, or achieve cross-site scripting, resulting in full session compromise. The vulnerabilities have CVSS v3.1 base scores ranging from 5.1 to 7.5, and CVSS v4 base scores ranging from 5.1 to 8.7. The vulnerabilities can be exploited remotely with low attack complexity.
The vulnerabilities affect the following Dario Health Products:
- USB-C Blood Glucose Monitoring System Starter Kit Android Application – All versions prior to 5.8.7.0.36
- Application Database and Internet-based Server Infrastructure – All versions
The vulnerabilities were identified by Noah Cutler and Manuel Del Rio of Accenture, who reported them to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The vulnerabilities have now been fixed, and users need to update to the latest version of the mobile application, ensuring the update is obtained from a trusted source. Dario Health has also warned users not to use the app on jailbroken or rooted devices, and to avoid using untrusted networks.
CVE-2025-20060 – Exposure of Private Personal Information
If exploited, an attacker could expose cross-user personally identifiable information (PII) and personal health information, transmitted to the Android device via the Dario Health application database. (CVSS 3.1: 7.5 | CVSS 4: 8.7).
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
CVE-2025-23405 – Improper Output Neutralization
Unauthenticated log effects metrics gathering incident response efforts, which creates a risk of injection attacks. (CVSS 3.1: 5.3 | CVSS 4: 6.9).
CVE-2025-24843 – Insecure Storage of Sensitive Data
An insecure file retrieval process opens the door to file manipulation, which could affect product stability and the confidentiality, integrity, authenticity, and attestation of stored data. (CVSS 3.1: 5.1 | CVSS 4: 5.1).
CVE-2025-24849 – Cleartext Transmission of Sensitive Data
Data is transmitted in cleartext to cloud infrastructure, risking the exposure and manipulation of sensitive data. (CVSS 3.1: 7.1 | CVSS 4: 7.5).
CVE-2025-20049 – Improper Neutralization of Input during Web Page Generation
The Dario Health portal service application is vulnerable to cross-site scripting, potentially allowing an attacker to access sensitive data. (CVSS 3.1: 5.8 | CVSS 4: 7.1).
CVE-2025-24318 – Observable Cookie Policy
Built-in browser tools can be used to observe the cookie policy, and in the presence of cross-site scripting, could lead to a full session compromise. (CVSS 3.1: 6.8 | CVSS 4: 5.9).
CVE-2025-24316 – Exposure of Sensitive Data
The Internet-based server infrastructure is vulnerable due to the exposure of development environment details, which could result in unsafe functionality. (CVSS 3.1: 5.3 | CVSS 4: 6.9).
