Description
An attacker within BLE communication range can passively intercept
wireless traffic and obtain sensitive health-related information,
including glucose measurement values.
Published: 2026-06-18
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows any entity within Bluetooth range to intercept unencrypted blood glucose data transmitted by the APG‑01 BT device. The result is that an attacker could obtain the victim’s glucose measurement values and other health‑related data. The weakness is a cleartext transmission, classified as CWE‑319; without encryption the data can be read directly from the wireless channel, compromising confidentiality.

Affected Systems

The affected system is the Apollo Pharmacy Blood Glucose Monitoring System model APG‑01 BT. No specific firmware or software versions were disclosed. The device uses standard BLE communication for transmitting glucose measurement values. The lack of encryption applies to all routine data transmissions on this model.

Risk and Exploitability

The CVSS score of 7.1 places this issue in the high risk range. Because the attack requires proximity and a passive interception of BLE traffic, a potential attacker would need to be within Bluetooth range, though the exact distance is not specified. The breach is considered recon‑friendly; there are no known exploits in the wild, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, given the sensitivity of medication data, the exposure could be significant.

Generated by OpenCVE AI on June 19, 2026 at 01:50 UTC.

Remediation

Vendor Workaround

Apollo Pharmacy did not respond to CISA's requests to coordinate. Users are encouraged to reach out to Apollo Pharmacy directly for more information: https://www.apollopharmacy.in/contact-us CISA recommends users follow the guidance in the Understanding Bluetooth Technology blog:  https://www.cisa.gov/news-events/news/understanding-bluetooth-technology


OpenCVE Recommended Actions

  • Contact Apollo Pharmacy and request a firmware update that encrypts BLE traffic.
  • Follow the CISA guidance in the Understanding Bluetooth Technology blog and consider disabling or restricting BLE usage or enabling any available encryption features.
  • If no patch is available, use an alternative blood‑glucose monitoring device that provides secure transmission or mitigate proximity attacks by physically limiting BLE proximity.

Generated by OpenCVE AI on June 19, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apollo Pharmacy
Apollo Pharmacy blood Glucose Monitoring System (model No. Apg-01 Bt)
Vendors & Products Apollo Pharmacy
Apollo Pharmacy blood Glucose Monitoring System (model No. Apg-01 Bt)

Fri, 19 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Description An attacker within BLE communication range can passively intercept wireless traffic and obtain sensitive health-related information, including glucose measurement values.
Title Apollo Pharmacy Blood Glucose Monitoring System APG-01 BT Cleartext Transmission of Sensitive Information
Weaknesses CWE-319
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Apollo Pharmacy Blood Glucose Monitoring System (model No. Apg-01 Bt)
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-22T14:54:21.615Z

Reserved: 2026-06-10T21:21:12.237Z

Link: CVE-2026-50034

cve-icon Vulnrichment

Updated: 2026-06-22T14:54:15.957Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:36:34Z

Weaknesses
  • CWE-319

    Cleartext Transmission of Sensitive Information