February 2025
Gene Hackman’s Daughter Reveals What She Believes Led to Father’s Unexpected Death
Are Giannis Antetokounmpo’s MVP days behind him?
The Bucks’ two-time MVP finds himself in the unenviable position of chasing not only monstrously productive peers, but his own ghost.
Are the glory days for Giannis a thing of the past?
The Bucks’ two-time MVP Giannis Antetokounmpo finds himself in the unenviable position of chasing not only monstrously productive peers, but his own ghost.
NFL combine live updates: 40-yard dash begins for DL and LB prospects
The 2025 NFL Draft season kicks off as the teams meet the top college prospects at the combine in Indianapolis.
Dario Health USB-C Blood Glucose Monitoring System Starter Kit Android Application
1. EXECUTIVE SUMMARY
- CVSS v4 8.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Dario Health
- Equipment: USB-C Blood Glucose Monitoring System Starter Kit Android Application, Application Database and Internet-based Server Infrastructure
- Vulnerabilities: Exposure of Private Personal Information to an Unauthorized Actor, Improper Output Neutralization For Logs, Storage of Sensitive Data In a Mechanism Without Access Control, Cleartext Transmission of Sensitive Information, Cross-site Scripting (XSS), Sensitive Cookie Without ‘HttpOnly’ Flag, Exposure of Sensitive Information Due To Incompatible Policies
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to expose information, inject code, manipulate data, or achieve cross-site scripting (XSS), resulting in full session compromise.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Dario Health products are affected:
- USB-C Blood Glucose Monitoring System Starter Kit Android Applications: Versions 5.8.7.0.36 and prior
- Dario Application Database and Internet-based Server Infrastructure: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 EXPOSURE OF PRIVATE PERSONAL INFORMATION TO AN UNAUTHORIZED ACTOR CWE-359
An attacker could expose cross-user Personal Identifiable Information (PII) and personal health information transmitted to the Android device via the Dario Health application database.
CVE-2025-20060 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-20060. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.2 IMPROPER OUTPUT NEUTRALIZATION FOR LOGS CWE-117
Unauthenticated log effects metrics gathering incident response efforts and potentially exposes risk of injection attacks (ex log injection).
CVE-2025-23405 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2025-23405. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N).
3.2.3 STORAGE OF SENSITIVE DATA IN A MECHANISM WITHOUT ACCESS CONTROL CWE-921
Insecure file retrieval process that facilitates potential for file manipulation to affect product stability and confidentiality, integrity, authenticity, and attestation of stored data.
CVE-2025-24843 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2025-24843. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N).
3.2.4 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
Lack of encryption in transit for cloud infrastructure facilitating potential for sensitive data manipulation or exposure.
CVE-2025-24849 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.1 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-24849. A base score of 7.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.5 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79
The Dario Health portal service application is vulnerable to XSS, which could allow an attacker to obtain sensitive information.
CVE-2025-20049 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-20049. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H).
3.2.6 SENSITIVE COOKIE WITHOUT ‘HTTPONLY’ FLAG CWE-1004
Cookie policy is observable via built-in browser tools. In the presence of XSS, this could lead to full session compromise.
CVE-2025-24318 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-24318. A base score of 5.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.7 EXPOSURE OF SENSITIVE INFORMATION DUE TO INCOMPATIBLE POLICIES CWE-213
The Dario Health Internet-based server infrastructure is vulnerable due to exposure of development environment details, which could lead to unsafe functionality.
CVE-2025-24316 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-24316. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Noah Cutler and Manuel Del Rio of Accenture reported these vulnerabilities to CISA.
4. MITIGATIONS
Dario Health recommends users update their Dario Health Android mobile application to the latest version. No other actions are required by users.
Dario Health recommends users perform the following mitigations:
- Update the application from trusted sources.
- Don’t use rooted/jailbroken devices.
-
Avoid public untrusted networks
For more information contact Dario Health directly.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
- Do not click web links or open attachments in unsolicited email messages.
- Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
- Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY
- February 27, 2025: Initial Publication
Schneider Electric Communication Modules for Modicon M580 and Quantum Controllers
1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Schneider Electric
- Equipment: Communication modules for Modicon M580 and Quantum controllers
- Vulnerability: Out-of-bounds Write
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a stack overflow attack, which could result in loss of confidentiality, integrity, and denial of service of the device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following communication modules for Modicon M580 and Quantum controllers are affected by a vulnerability in VxWorks operating system:
- Modicon M580 communication modules BMENOC BMENOC0321: Versions prior to SV1.10
- Modicon M580 communication modules BMECRA BMECRA31210: All versions
- Modicon M580/Quantum communication modules BMXCRA BMXCRA31200: All versions
- Modicon M580/Quantum communication modules BMXCRA BMXCRA31210: All versions
- Modicon Quantum communication modules 140CRA 140CRA31908: All versions
- Modicon Quantum communication modules 140CRA 140CRA31200: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 OUT-OF-BOUNDS WRITE CWE-787
A possible stack overflow in dhcp server was discovered in Wind River VxWorks through 6.8.
CVE-2021-29999 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: France
3.4 RESEARCHER
Schneider Electric reported this vulnerability to CISA.
4. MITIGATIONS
Schneider Electric has identified the following specific remediations and mitigations users can apply to reduce risk:
- Modicon M580 communication modules BMENOC BMENOC0321: Version SV1.10 of BMENOC0321 includes a fix for this vulnerability and is available for download here: https://www.se.com/ww/en/product/BMENOC0321/m580- noc-control/
- Schneider Electric is establishing a remediation plan for all future versions of BMECRA, BMXCRA and 140CRA that will include a fix for this vulnerability. They will update SEVD-2025-014-03 when the remediation is available. Until then, users should immediately implement a firewall to allow only authorized traffic on 67/UDP and 68/UDP ports to reduce the risk of exploit.
Schneider Electric strongly recommends the following industry cybersecurity best practices.
- Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
- Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
- Place all controllers in locked cabinets and never leave them in the “Program” mode.
- Never connect programming software to any network other than the network intended for that device.
- Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
- Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
- Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
- When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.
For more information refer to the Schneider Electric Recommended Cybersecurity Best
Practices document.
For more information, see Schneider Electric security notification “SEVD-2025-014-03 Wind River VxWorks DHCP server vulnerability”
Additional information about the vulnerability can be found on the Wind River site.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY
- February 27, 2025: Initial Publication
Who needs LeBron? Why this might be the best Cavs team ever | The Big Number
Could this Cavs team outperform any of LeBron James’ legendary squads?
Luka Dončić has found new energy in Los Angeles | The Big Number
The trade to L.A. appears to have rejuvenated Luka, along with the Lakers’ title hopes.
NFL scouting combine live updates: Coaches, GMs take the podium in Indianapolis as 2025 draft season gets underway
The 2025 NFL Draft season kicks off as the teams meet the top college prospects at the combine in Indianapolis.