Description
A weakness has been identified in i-SENS SmartLog App up to 2.6.8 on Android. This affects an unknown function of the component air.SmartLog.android. This manipulation causes hard-coded credentials. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. The vendor explains: "The function referenced in the report currently exists in our deployed system. It is related to a developer mode used during the configuration process for Bluetooth pairing between the blood glucose meter and the SmartLog application. This function is intended for configuration purposes related to device integration and testing. (...) [I]n a future application update, we plan to review measures to either remove the developer mode function or restrict access to it."
Published: 2026-03-16
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local credential exposure via hard‑coded credentials
Action: Apply Update
AI Analysis

Impact

The vulnerability is the presence of hard‑coded credentials in the i‑SENS SmartLog App component air.SmartLog.android up to version 2.6.8 on Android, and it maps to CWE‑259 and CWE‑798. The flaw allows local authentication bypass for the application itself; the available description does not indicate further consequences such as data disclosure or tampering beyond the application’s own use of the credentials.

Affected Systems

Affected vendor: i‑SENS SmartLog App. Product component: air.SmartLog.android. All releases of the Android application up to version 2.6.8 are vulnerable. No specific Android OS or device versions are mentioned, so any device running the vulnerable app could be impacted.

Risk and Exploitability

The CVSS score of 4.8 places the vulnerability in the low severity range. The EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is local only; an exploit is publicly available that extracts the embedded credentials, but no remote code execution or denial‑of‑service capabilities are described.

Generated by OpenCVE AI on March 17, 2026 at 12:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify if a newer SmartLog App release that removes the hard‑coded credentials is available and update to that version if it exists.
  • If an update is not yet released, consider disabling any developer‑mode configuration functions in the app, if such a setting is exposed.
  • Contact i‑SENS to confirm the patch schedule and whether the developer‑mode function will be removed or restricted in a future update.
  • As a precaution, limit physical access to the device to reduce the opportunity for a local attacker to exploit the flaw.

Generated by OpenCVE AI on March 17, 2026 at 12:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared I-sens
I-sens smartlog App
Vendors & Products I-sens
I-sens smartlog App

Mon, 16 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in i-SENS SmartLog App up to 2.6.8 on Android. This affects an unknown function of the component air.SmartLog.android. This manipulation causes hard-coded credentials. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. The vendor explains: "The function referenced in the report currently exists in our deployed system. It is related to a developer mode used during the configuration process for Bluetooth pairing between the blood glucose meter and the SmartLog application. This function is intended for configuration purposes related to device integration and testing. (...) [I]n a future application update, we plan to review measures to either remove the developer mode function or restrict access to it."
Title i-SENS SmartLog App air.SmartLog.android hard-coded credentials
Weaknesses CWE-259
CWE-798
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

I-sens Smartlog App
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-16T18:45:09.497Z

Reserved: 2026-03-15T15:09:22.212Z

Link: CVE-2026-4216

cve-icon Vulnrichment

Updated: 2026-03-16T18:45:05.743Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:20:08.733

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-4216

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:45:50Z

Weaknesses