CVE-2025-12699

Published: Feb 10, 2026

Modified: Feb 11, 2026

PUBLISHED

CVSS v3.1

5.5

MEDIUM

Description

The ZOLL ePCR IOS application reflects unsanitized user input into a WebView. Attacker-controlled strings placed into PCR fields (run number, incident, call sign, notes) are interpreted as HTML/JS when the app prints or renders that content. In the proof of concept (POC), injected scripts return local file content, which would allow arbitrary local file reads from the app's runtime context. These local files contain device and user data within the ePCR medical application, and if exposed, would allow an attacker to access protected health information (PHI) or device telemetry.

Vendor	Product	Versions
ZOLL	ZOLL ePCR IOS Mobile Application	affected `2.6.7`

Weaknesses (CWE)

CWE-538

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-041-01

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-041-01.json

https://www.zolldata.com/contact-us.

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-12699

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References