CPATH-2026-0007 · WEARABLE HEALTH

Qardio BLE unauthenticated DoS (startMeasurement flood)

Provisional. Candidate score (CFSE Consequence Paths 1.0-candidate); pending independent review. Treat as a structured second opinion, not a final rating.

Paths ELEVATED Dominant consequence DEVICE_AVAILABILITY Physical/safety · Evidence EV:3 (reproduced / report-backed) · Liveness HISTORICAL

CPATH ID	`CPATH-2026-0007`
CVE(s)	CVE-2025-24836
Device / class	Qardio BLE unauthenticated DoS (startMeasurement flood) (WEARABLE HEALTH)
Vendor	Qardio
Dominant consequence	`DEVICE_AVAILABILITY` (Physical/safety)
Paths verdict	ELEVATED (worst of 1 path)
Published baseline	v4.0 6.1 MEDIUM `CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X` · CISA/ICS-CERT via NVD v3.1 7.1 HIGH `CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H` · CISA/ICS-CERT via NVD
Baseline relationship	▲ Paths lower
Consequence dimension(s)	#7 (what these mean)
Scored	2026-06-03 · CFSE Consequence Paths v1.0-candidate · validation: provisional
Baseline confidence	high

Consequence Paths

Paths Assessment

Physical/safety

`DEVICE_AVAILABILITY`

ELEVATED

Reachability RE:2

Complexity EC:4

Consequence DEVICE_AVAILABILITY

Scale SR:3 / SX:2

Verdict ELEVATED

Reachability 2

Complexity 4

Exposure 2

Physical / safety 2

Data / perception 1

Authority 2

Chainability 1

Reuse scale 3

Execution scale 2

Recovery 1

Evidence EV:3 · reproduced / report-backed

Liveness HISTORICAL

Vector

CPATH:1.0-candidate/TT:DEVICE_AVAILABILITY/RE:2/EC:4/EX:2/PH:2/DP:1/AT:2/CH:1/SR:3/SX:2/OR:1/EV:3/LS:HISTORICAL

Assessment

CFSE Consequence Paths assesses Qardio BLE unauthenticated DoS (startMeasurement flood) at ELEVATED — the worst of 1 risk path (safety). The dominant consequence is denial of a device function.

Vulnerability

Qardio BLE unauthenticated DoS (startMeasurement flood). Reported attack vector: Adjacent.

CFSE Consequence Paths analysis

The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.

`DEVICE_AVAILABILITY` → ELEVATED

CPATH:1.0-candidate/TT:DEVICE_AVAILABILITY/RE:2/EC:4/EX:2/PH:2/DP:1/AT:2/CH:1/SR:3/SX:2/OR:1/EV:3/LS:HISTORICAL

Exposure EX=2 (reachability-bound) · bands PH=ELEVATED · DP=ELEVATED · AT=ELEVATED → base ELEVATED → assessed ELEVATED.

BLE proximity (~10m), no pairing/auth, so RE:2 (local-net/proximity position). EC:4 because despite CVSS AC:H the practical exploit is a simple connect-and-write bleak script (single-request commodity). AT:2: bounded command authority over the cuff (startMeasurement) - no admin/firmware/trust-root control. PH:2: repeated cuff inflation is discomfort/nuisance and blocks legitimate clinical monitoring (availability disruption) but no credible severe injury or wrong-therapy. DP:1: minor/low-sensitivity data exposure. CH:1: limited chaining - crosses physical/device boundary (boundary_crossing=true) but does not transfer authority across domains. SR:3: the unauthenticated-write method/script is portable and reusable across any unit. SX:2: requires per-device BLE proximity, not remote/fleet-scale. OR:1: user-visible, recoverable by disconnect/battery removal, no fleet action. EV:3: reproduced.
perception_feeds_action — false (no perception drives action).
active_exploitation — false (no in-the-wild evidence; HISTORICAL).

Published baseline

v4.0 6.1 MEDIUM — CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X — CISA/ICS-CERT via NVD
v3.1 7.1 HIGH — CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H — CISA/ICS-CERT via NVD

The published baseline above is retained for source review. The registry records the reachable consequence path rather than treating the baseline score as the primary registry frame.

Sources

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24836

Score it yourself in the calculator Review this score

Cite this entry:

CFSE Consequence Paths Registry v1.0-candidate, entry CPATH-2026-0007 (“Qardio BLE unauthenticated DoS (startMeasurement flood)”), paths.cfse.ai/CPATH-2026-0007 (published 2026-06-03).