CPATH-2026-0008 · WEARABLE HEALTH

Qardio firmware files extractable

Provisional. Candidate score (CFSE Consequence Paths 1.0-candidate); pending independent review. Treat as a structured second opinion, not a final rating.

Paths HIGH Dominant consequence DATA_PRIVACY perception · Evidence EV:2 (report-backed) · Liveness HISTORICAL

CPATH ID	`CPATH-2026-0008`
CVE(s)	CVE-2025-23421
Device / class	Qardio firmware files extractable (WEARABLE HEALTH)
Vendor	Qardio
Dominant consequence	`DATA_PRIVACY` (perception)
Paths verdict	HIGH (worst of 1 path)
Published baseline	v4.0 6.9 MEDIUM `CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X` · CISA/ICS-CERT via NVD v3.1 6.4 MEDIUM `CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L` · CISA/ICS-CERT via NVD
Baseline relationship	▼ Paths higher
Consequence dimension(s)	#7 (what these mean)
Scored	2026-06-03 · CFSE Consequence Paths v1.0-candidate · validation: provisional
Baseline confidence	high

Consequence Paths

Paths Assessment

perception

`DATA_PRIVACY`

HIGH

Reachability RE:3

Complexity EC:4

Consequence DATA_PRIVACY

Scale SR:3 / SX:3

Verdict HIGH

Reachability 3

Complexity 4

Exposure 3

Physical / safety 0

Data / perception 3

Authority 1

Chainability 2

Reuse scale 3

Execution scale 3

Recovery 1

Evidence EV:2 · report-backed

Liveness HISTORICAL

Vector

CPATH:1.0-candidate/TT:DATA_PRIVACY/RE:3/EC:4/EX:3/PH:0/DP:3/AT:1/CH:2/SR:3/SX:3/OR:1/EV:2/LS:HISTORICAL

Assessment

CFSE Consequence Paths assesses Qardio firmware files extractable at HIGH — the worst of 1 risk path (perception). The dominant consequence is exposure of sensitive data.

Vulnerability

Qardio firmware files extractable. Reported attack vector: Physical (disputed).

CFSE Consequence Paths analysis

The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.

`DATA_PRIVACY` → HIGH

CPATH:1.0-candidate/TT:DATA_PRIVACY/RE:3/EC:4/EX:3/PH:0/DP:3/AT:1/CH:2/SR:3/SX:3/OR:1/EV:2/LS:HISTORICAL

Exposure EX=3 (reachability-bound) · bands PH=ELEVATED · DP=HIGH · AT=HIGH → base HIGH · caps privacy-only cap → assessed HIGH.

Mobile apps allow unauthorized access to firmware update files. RE:3 because the attacker uses their own app artifact/OTA flow (attacker-owned), not victim physical hardware despite the disputed Physical AV label - reading app-accessible firmware files is the app-artifact case. EC:4 straightforward extraction, single operation. AT:1 no direct authority gained; firmware extraction is read-only and only enables downstream RE (no signing key or fleet control exposed). PH:0 no direct safety effect from mere extraction. DP:3 firmware/proprietary control data (sensitive operational/firmware data, not just PII). CH:2 enables further reverse engineering across app/firmware boundary but is not a multi-hop reusable authority bridge by itself;
boundary_crossing — true (app -> firmware/device domain). SR:3 same firmware image is shared across the fleet so the extracted artifact is portable. SX:3 deployment-wide once the technique is set up, but each victim’s data is not remotely harvested - it is the common firmware that is exposed. OR:1 low recovery burden (no key rotation or recall needed for the extraction itself). EV:2 report-backed (CVE-2025-23421). LS HISTORICAL. AT held at 1 - no demonstrated trust-root or control-safety consequence; only firmware confidentiality.

Published baseline

v4.0 6.9 MEDIUM — CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X — CISA/ICS-CERT via NVD
v3.1 6.4 MEDIUM — CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L — CISA/ICS-CERT via NVD

The published baseline above is retained for source review. The registry records the reachable consequence path, including deployment-specific cyber-physical consequence, physical/safety impact, scale, and recovery burden.

Sources

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-23421

Score it yourself in the calculator Review this score

Cite this entry:

CFSE Consequence Paths Registry v1.0-candidate, entry CPATH-2026-0008 (“Qardio firmware files extractable”), paths.cfse.ai/CPATH-2026-0008 (published 2026-06-03).