HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Cleartext BLE Transmission & Missing Authorization in Apollo Pharmacy Blood Glucose Monitoring System (CVE-2026-50034, CVE-2026-52866) Exposes Patient Data

Two CVEs in Apollo Pharmacy's APG‑01 BT glucose monitor allow clear‑text BLE transmission and lack of authorization, enabling attackers to capture health data and disrupt connections. The issue highlights gaps in data‑in‑transit encryption and access‑control, which are critical for SOC 2 and privacy‑law compliance.

LiveThreat™ Intelligence · 📅 June 18, 2026· 📰 cisa.gov
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
4 recommended
📰
Source
cisa.gov

Cleartext BLE Transmission & Missing Authorization in Apollo Pharmacy Blood Glucose Monitoring System (CVE-2026-50034, CVE-2026-52866) Exposes Patient Data

What It Is — Two CVEs (CVE‑2026‑50034, CVE‑2026‑52866) affect the APG‑01 BT glucose monitor, allowing clear‑text Bluetooth Low Energy (BLE) traffic and lacking proper authorization checks. An attacker within BLE range can capture patient glucose readings and prevent legitimate connections.

Exploitability — No public exploit code, but the flaws are trivially exploitable with off‑the‑shelf BLE sniffers. CVSS v3 base score 6.5 (Medium‑High).

Affected Products — Apollo Pharmacy Blood Glucose Monitoring System APG‑01 BT, firmware 0x0110_v1.1.0.

Why It Matters for Compliance & Audit Readiness

  • Health‑related data is subject to HIPAA, GDPR, CCPA and emerging Indian privacy statutes; transmitting it in clear text breaches data‑in‑transit safeguards required by SOC 2 CC6.1.
  • Missing authorization violates SOC 2 CC6.2 access‑control criteria, making it harder to prove due‑diligence in privacy‑impact assessments and audit evidence.
  • Enterprise healthcare buyers now demand verifiable encryption and access‑control controls as part of SOC 2 readiness; remediation provides concrete evidence for those audits.

Recommended Actions

  • Confirm device firmware version and apply any vendor‑issued patches; if none are available, disable BLE when not needed.
  • Enable BLE Secure Connections or add a transport‑level encryption layer; enforce mutual authentication before data exchange.
  • Conduct a privacy‑impact assessment covering device‑collected data and update consent/DSAR processes accordingly.
  • Log remediation steps and retain BLE traffic logs as audit evidence for SOC 2 and privacy‑law compliance.

Source: CISA Advisory ICSMA‑26‑169‑01

📰 Original Source
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-169-01

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

Data exposure is where consent and DSAR readiness get tested.

When personal data leaks, regulators ask what consent you held and how fast you can answer a subject request. The Verisq AI Trust Operations platform, with CookiePLUS, keeps that posture audit-ready under GDPR and CCPA.

Explore the Verisq AI Trust Operations platform →