CVE-2024-32368 identifies an insecure permission vulnerability (CWE-276) in the Bluetooth Low Energy (BLE) component of the Agasta Sanketlife 2.0 Pocket 12-Lead ECG Monitor, specifically firmware version 3.0. This vulnerability allows a local attacker with low privileges to trigger a denial of service (DoS) condition on the device. The root cause is improper permission settings within the BLE implementation, which fails to adequately restrict access to certain functions or resources. As a result, an attacker in physical proximity who can interact with the device's BLE interface can exploit this flaw to disrupt the device's operation, causing it to become unavailable. The CVSS v3.1 base score is 7.3 (high), reflecting the attack vector as adjacent network (local BLE), low attack complexity, low privileges required, no user interaction, and a high impact on confidentiality and availability but no impact on integrity. The vulnerability does not require user interaction, increasing the risk of automated or stealthy exploitation. Although no patches or known exploits are currently available, the critical nature of the device in medical monitoring underscores the importance of addressing this issue promptly.

The primary impact of this vulnerability is denial of service, which can render the ECG monitor unavailable for patient monitoring. This disruption can delay or prevent critical cardiac health assessments, potentially endangering patient safety. The confidentiality impact is rated high, indicating that sensitive patient data transmitted or stored by the device may be exposed or accessible during exploitation. However, the integrity of the device's data or operation is not affected. Organizations relying on these devices in clinical environments face risks of operational downtime and potential breaches of patient data privacy. Given the medical context, even temporary unavailability can have severe consequences for patient care. The requirement for local access limits the scope somewhat but does not eliminate risk, especially in healthcare settings where devices may be accessible to multiple personnel or visitors. The lack of available patches increases the urgency for interim mitigations.

To mitigate CVE-2024-32368, organizations should first isolate the affected ECG monitors within secure network segments to limit BLE access to authorized personnel only. Physical security controls should be enhanced to restrict local access to the devices, including controlled access to patient rooms and device storage areas. Disable or limit BLE functionality when not in active use to reduce the attack surface. Monitor BLE traffic for unusual connection attempts or patterns that could indicate exploitation attempts. Engage with the device vendor to obtain firmware updates or patches as soon as they become available and prioritize their deployment. Implement network-level controls such as BLE device whitelisting and authentication mechanisms if supported by the device. Additionally, establish incident response plans specific to medical device disruptions to ensure rapid recovery and patient safety. Regularly audit device configurations and permissions to detect and remediate insecure settings proactively.