TL;DR
The Paths model rates this CRITICAL because a single static credential shipped in every downloadable app copy yields production engineering authority across the deployed fleet. The published 6.2/6.6 Medium baseline is retained for source review; the Paths driver is fleet-scale authority transfer from a reusable app artifact.
What it is
The Qardio Arm iOS app ships static, production-level credentials in a .plist file. Extracting them unlocks an engineering/dev account on api.getqardio.com plus an engineering backdoor that issues raw hex commands to the cardiac-adjacent device over BLE. (CISA ICSMA-25-044-01.)
Published baseline — scope note
AV:P (Physical) is the suppressor. FIRST scores Attack Vector relative to the vulnerable component. The analyst modeled the component as “a victim’s installed phone,” requiring physical extraction. But the secret is identical in every downloadable copy — the real component is the distributed app artifact, read from the attacker’s own device. That is AV:N, and reading a file from your own app copy needs no privilege (PR:N). The CWE-359 (“private info exposure”) label also understates a privileged backdoor as a privacy leak.
Consequence driver
The Paths model highlights dimension #1 (blast-radius/scale-of-reuse): one extracted credential yields standing engineering-backdoor authority across the deployed fleet. The published baseline depends on a component model that treats the vulnerable artifact as a victim phone (AV:P). The leak is remote and reusable; kinetic BLE delivery remains local.
Sources