CISA Discloses Unpatched Bluetooth Flaws in Apollo Pharmacy Blood Glucose Monitor
CISA disclosed two unpatched vulnerabilities in the Apollo Pharmacy Blood Glucose Monitoring System APG-01 BT, allowing attackers to intercept sensitive health data or block legitimate connections.
CISA has disclosed two vulnerabilities in the Apollo Pharmacy Blood Glucose Monitoring System APG-01 BT (model APG-01 BT, version 0x0110_v1.1.0), a Bluetooth-enabled medical device used for diabetes management. The flaws, identified as CVE-2026-50034 and CVE-2026-52866, could allow an attacker within Bluetooth Low Energy (BLE) range to either passively intercept sensitive health data or monopolize the device's single connection slot, preventing legitimate users from pairing. Apollo Pharmacy did not respond to CISA's coordination requests, leaving users without an official patch.
CVE-2026-50034 is a cleartext transmission of sensitive information vulnerability (CWE-319) with a CVSS v3.1 base score of 6.5 (medium) and a CVSS v4.0 score of 7.1 (high). An attacker within BLE communication range can passively intercept wireless traffic and obtain sensitive health-related information, including glucose measurement values. This means a nearby attacker could eavesdrop on a patient's blood sugar readings without any authentication, potentially exposing private medical data.
CVE-2026-52866 is a missing authorization vulnerability (CWE-862) with a CVSS v3.1 base score of 6.5 (medium) and a CVSS v4.0 score of 7.1 (high). An attacker within BLE range can monopolize the device's only available BLE connection slot, preventing legitimate users or applications from establishing a connection. This denial-of-service condition could prevent a patient from syncing their glucose readings with a smartphone app or other monitoring system, potentially delaying critical medical decisions.
The affected product is the Apollo Pharmacy Blood Glucose Monitoring System (Model No. APG-01 BT) running firmware version 0x0110_v1.1.0. The device is deployed primarily in India, where Apollo Pharmacy is headquartered. CISA notes that the vulnerabilities are not exploitable remotely, requiring physical proximity via BLE, which somewhat limits the attack surface but still poses a risk in public or shared spaces like hospitals or clinics.
CISA has provided mitigation guidance, recommending users follow the agency's Understanding Bluetooth Technology blog for general security practices. However, since Apollo Pharmacy did not respond to CISA's requests to coordinate, no vendor-supplied patch or specific remediation is available. CISA encourages users to contact Apollo Pharmacy directly for more information and to implement defensive measures such as minimizing network exposure and using VPNs where applicable.
The vulnerabilities were reported to CISA by Rishitha Pucchakayala and the Centre for Development of Advanced Computing (Hyderabad). As of the initial publication date of June 18, 2026, no known public exploitation specifically targeting these vulnerabilities has been reported to CISA. However, the lack of a vendor response raises concerns about the long-term security of the device, especially as Bluetooth-enabled medical devices become more common.
This disclosure highlights a recurring challenge in medical device security: vendors who fail to respond to vulnerability disclosures leave patients and healthcare providers exposed. While the BLE-only attack range limits the immediate threat, the passive interception of glucose readings could be exploited in targeted surveillance scenarios, and the connection monopolization flaw could disrupt diabetes management. Users of the APG-01 BT should remain vigilant and consider alternative monitoring methods until a fix is available.