CVE-2024-54681 Ossur CVE debrief

Who should care

Organizations and individuals using the Ossur Logic Mobile Application for medical device management should apply the update to version 1.5.5 or later. Security teams supporting healthcare environments with mobile medical applications should verify patch deployment across managed device fleets.

Technical summary

The Ossur Logic Mobile Application contained multiple bash files in its private application directory. These files could be exploited by an attacker who has already achieved full access to the mobile platform to compromise the application's translations. The vulnerability requires local access with elevated privileges and does not enable remote exploitation. The primary impact is limited to integrity of application translations, with no confidentiality or availability impact beyond the translation subsystem.

Defensive priority

LOW

Recommended defensive actions

• Update the Ossur Logic Mobile Application to version 1.5.5 or later through the official app store on your mobile device.
• No additional user action is required after updating to the patched version.
• Ensure mobile devices running the application maintain appropriate platform-level access controls to prevent unauthorized local access.

Evidence notes

CISA published ICSMA-24-354-01 on 2024-12-19, identifying this vulnerability in the Ossur Logic Mobile Application. The advisory notes that bash files present in the application's private directory could be leveraged by an attacker with full access to the mobile platform to compromise application translations. The CVSS 3.1 score of 3.5 (LOW) reflects the requirement for prior full platform access and limited impact scope.

Official resources