Vulnerability Description
The ZOLL ePCR IOS application reflects unsanitized user input into a WebView. Attacker-controlled strings placed into PCR fields (run number, incident, call sign, notes) are interpreted as HTML/JS when the app prints or renders that content. In the proof of concept (POC), injected scripts return local file content, which would allow arbitrary local file reads from the app's runtime context. These local files contain device and user data within the ePCR medical application, and if exposed, would allow an attacker to access protected health information (PHI) or device telemetry.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsma-26-0
- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-041-01
- https://www.zolldata.com/contact-us.
FAQ
What is CVE-2025-12699?
CVE-2025-12699 is a vulnerability with a CVSS score of 5.5 (MEDIUM). The ZOLL ePCR IOS application reflects unsanitized user input into a WebView. Attacker-controlled strings placed into PCR fields (run number, incident, call sign, notes) are interpreted as HTML/JS whe...
How severe is CVE-2025-12699?
CVE-2025-12699 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-12699?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.