Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Adjacent BLE radio attack with no privileges or interaction; passive sniffing of unencrypted health data yields high confidentiality impact only, no integrity or availability effect.
Primary rating from Vendor (icscert).
CVSS VectorVendor: icscert
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
An attacker within BLE communication range can passively intercept wireless traffic and obtain sensitive health-related information, including glucose measurement values.
AnalysisAI
Cleartext Bluetooth Low Energy transmission in the Apollo Pharmacy Blood Glucose Monitoring System (Model APG-01 BT) allows an attacker within BLE radio range to passively sniff wireless traffic and recover patient glucose readings and related health data. The flaw is a CWE-319 cleartext-transmission issue affecting a consumer medical device, disclosed via CISA ICS-CERT advisory ICSMA-26-169-01. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to be within BLE radio range (AV:A) of an APG-01 BT meter while the meter is actively transmitting a reading to its paired phone, and that the device is operated in its default configuration where measurement values are sent over BLE without link-layer or application-layer encryption. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are internally consistent but moderate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sits within roughly 10-30 meters of a patient using the APG-01 BT meter - for example in a clinic waiting room, on public transit, or in an adjacent apartment - and runs a passive BLE sniffer such as Sniffle on an nRF52840 dongle to capture advertising and GATT traffic. Because measurement values are transmitted without encryption, the captured packets directly reveal glucose readings and associated metadata, enabling targeted privacy violation, insurance/employment discrimination, or stalking of a specific individual. … |
| Remediation | No vendor-released patch identified at time of analysis; consult CISA ICSMA-26-169-01 (https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-169-01) and contact Apollo Pharmacy via https://www.apollopharmacy.in/contact-us for firmware status. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Conduct inventory of all APG-01 BT devices in clinical use and identify affected patient populations; escalate to compliance and risk management. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37971
GHSA-cmv8-9pgg-5rx4