Exposure of Private Personal Information to an Unauthorized Actor

CVE-2025-20615

Medium

6.2/10

Summary

The Qardio Arm iOS application exposes sensitive data such as usernames and passwords in a plist file. This allows an attacker to log in to production-level development accounts and access an engineering backdoor in the application. The engineering backdoor allows the attacker to send hex-based commands over a UI-based terminal.

Attack Complexity: LOW
Attack Vector: PHYSICAL
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: LOW

CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

References

Advisory Timeline

Published Feb 13, 2025

Exposure of Private Personal Information to an Unauthorized Actor

CVE-2025-20615

Summary

CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS