PatchSiren cyber security CVE debrief
CVE-2025-12699 Raw CVE debrief
CVE-2025-12699 is a client-side injection issue in the ZOLL ePCR iOS Mobile Application 2.6.7. In CISA's 2026-02-10 advisory, attacker-controlled text entered into PCR fields such as run number, incident, call sign, and notes can be rendered in a WebView without proper sanitization and interpreted as HTML/JavaScript. The advisory's proof of concept shows injected script returning local file content, which creates a confidentiality risk for device data, user data, PHI, or device telemetry. ZOLL's remediation note says the app was decommissioned in May 2025 and that no replacement is planned.
- Vendor
- Raw
- Product
- ZOLL ePCR IOS Mobile Application 2.6.7
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-10
- Original CVE updated
- 2026-02-10
- Advisory published
- 2026-02-10
- Advisory updated
- 2026-02-10
Who should care
Healthcare IT, mobile device management, security, and privacy/compliance teams that may still have ZOLL ePCR iOS 2.6.7 installed on managed devices, retained in backups, or present in archived device images or test systems.
Technical summary
The advisory describes a WebView output-rendering flaw: untrusted PCR field content is reflected into a browser-like context and can be interpreted as HTML/JavaScript. That makes the app vulnerable to local client-side script execution in the app context, with the demonstrated impact being local file read exposure. The source material also references CWE-538 and lists a CVSS v3.1 vector of AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N (5.5).
Defensive priority
Medium overall, but higher priority if any residual installations or device images still exist because the impact is confidentiality loss of PHI/device data; if the app has already been fully removed everywhere, the practical exposure is largely historical.
Recommended defensive actions
- Confirm whether any ZOLL ePCR iOS 2.6.7 installations, backups, MDM profiles, or retained device images still exist in your environment.
- Remove the application from any remaining managed devices and quarantine or reimage endpoints if you cannot verify that no sensitive local data remains.
- Review stored PCR exports, cached records, and device-held artifacts for possible exposure of PHI or telemetry data, especially where rendered content may have been preserved.
- If the product is still present anywhere, prevent further use until you have completed an exposure assessment and documented data-handling impact for privacy and compliance teams.
- Use CISA's ICS recommended practices and defense-in-depth guidance to reduce the risk of future client-side rendering flaws in mobile or operational applications, including strict input/output handling and least-privile"
Evidence notes
The primary evidence is CISA's ICS Medical Advisory ICSMA-26-041-01 and its linked CSAF JSON for CVE-2025-12699, both published and modified on 2026-02-10. The source text states that ZOLL ePCR iOS reflects unsanitized user input into a WebView, that the proof of concept returns local file content, and that exposed files may contain PHI or device telemetry. The remediation note in the source says the app was decommissioned in May 2025 and that ZOLL has no current plans to provide a replacement application. The supplied source also includes a CVSS v3.1 vector of AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N and a KEV value of false.
Official resources
-
CVE-2025-12699 CVE record
CVE.org
-
CVE-2025-12699 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in ICSMA-26-041-01 on 2026-02-10. The supplied enrichment does not list the CVE in CISA KEV. The source remediation note states the product was decommissioned in May 2025 and no replacement is planned.