Back to Intelligence

CVE-2026-50034 and CVE-2026-52866: Apollo Pharmacy APG-01 BT Vulnerabilities — Detection and Defense

SA
Security Arsenal Team
June 18, 2026
6 min read

CISA has released ICS Medical Advisory (ICSMA-26-169-01) detailing critical security vulnerabilities affecting the Apollo Pharmacy Blood Glucose Monitoring System (Model No. APG-01 BT). These issues, tracked as CVE-2026-50034 and CVE-2026-52866, pose significant risks to patient privacy and device availability in the Healthcare and Public Health sector, particularly in deployments across India.

Successful exploitation allows an attacker to passively intercept sensitive health data (blood glucose levels) due to cleartext transmission or actively prevent legitimate users from connecting to the device. Given the strict requirements of HIPAA and local data privacy regulations, these vulnerabilities require immediate asset discovery and network segmentation to prevent potential PHI (Protected Health Information) leakage.

Technical Analysis

Affected Product:

  • Apollo Pharmacy Blood Glucose Monitoring System APG-01 BT
  • Affected Version: 0x0110_v1.1.0

Vulnerabilities:

  1. CVE-2026-50034 (Cleartext Transmission of Sensitive Information):

    • CVSS v3 Score: 6.5 (Medium)
    • Mechanism: The device transmits sensitive health data over Bluetooth without adequate encryption. An attacker within radio range can capture these packets using standard hardware (e.g., Ubertooth, nRF Sniffer) and reconstruct glucose readings without triggering any security alerts on the device.

  2. CVE-2026-52866 (Missing Authorization):

    • CVSS v3 Score: 6.5 (Medium)
    • Mechanism: The device fails to properly authorize connecting devices. This allows an adversary to pair with the monitor illicitly. Once paired, they can issue commands to disrupt the device's availability, effectively denying the legitimate user (patient or provider) access to real-time data or connection establishment.

Attack Chain:

  1. Proximity Scanning: Attacker scans for Bluetooth Low Energy (BLE) devices in the vicinity (e.g., hospital ward, clinic).
  2. Target Identification: Identifies the APG-01 BT based on its broadcast name or Service UUID.
  3. Sniffing (CVE-2026-50034): Attacker passively captures traffic to read glucose values in cleartext.
  4. Unauthorized Pairing (CVE-2026-52866): Attacker initiates a connection. The device accepts the pairing without verifying the attacker's credentials, leading to a Denial of Service (DoS) for the legitimate endpoint.

Exploitation Status: As of this advisory, exploitation is considered theoretical but technically trivial given the prevalence of BLE tooling. No specific active exploitation in the wild has been confirmed by CISA, but the low barrier to entry necessitates immediate defensive posture adjustments.

Detection & Response

Because this is a medical IoT device, it will not appear in standard EDR logs. Detection focuses on two vectors: identifying the exploitation tools used by attackers (BLE scanning utilities) and discovering the vulnerable assets within your Windows infrastructure via Registry and Event logs.

SIGMA Rules

YAML
---
title: Potential Bluetooth Low Energy (BLE) Reconnaissance Activity
id: 8a2f1c92-4d5e-4f3a-9c1b-2e5a6f701234
status: experimental
description: Detects execution of common Linux Bluetooth reconnaissance tools often used to identify and exploit vulnerable BLE devices like medical sensors.
references:
  - https://cisa.gov/news-events/ics-medical-advisories/icsma-26-169-01
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.reconnaissance
  - attack.t1120
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith:
      - '/hcitool'
      - '/gatttool'
      - '/hciconfig'
      - '/lescan'
    CommandLine|contains:
      - 'scan'
      - 'lescan'
      - 'gatt'
  condition: selection
falsepositives:
  - Legitimate Bluetooth debugging by IT staff
level: medium
---
title: Windows Bluetooth Service Debug Logging Enabled
id: 9b3e2d83-5e6f-4a1b-0d2c-3f6b7g802345
status: experimental
description: Detects modifications to the Windows Bluetooth Service to enable verbose tracing, which can be a precursor to sniffing local Bluetooth traffic on a compromised host.
references:
  - https://attack.mitre.org/techniques/T1005/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.collection
  - attack.t1005
logsource:
  category: registry_set
  product: windows
detection:
  selection:
    TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters'
    Details|contains:
      - '1'
      - 'True'
  condition: selection
falsepositives:
  - Administrative troubleshooting of Bluetooth connectivity
level: low

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for Linux processes executing BLE scanning utilities relevant to IoT exploitation
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ('hcitool', 'gatttool', 'hciconfig', 'bluetoothctl')
| where ProcessCommandLine contains_any ('scan', 'lescan', 'connect', 'dump')
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| extend IoTDeviceContext = "Potential IoT Reconnaissance"

Velociraptor VQL

VQL — Velociraptor
-- Hunt for execution of BLE scanning tools on Linux endpoints
SELECT Pid, Name, CommandLine, Exe, Username,CreateTime
FROM pslist()
WHERE Name =~ 'hcitool'
   OR Name =~ 'gatttool'
   OR Name =~ 'hciconfig'
   OR CommandLine =~ 'scan'

Remediation Script (PowerShell)

This script scans the Windows Registry for paired Bluetooth devices to identify if the vulnerable Apollo Pharmacy APG-01 BT model is present in the environment.

PowerShell
<#
.SYNOPSIS
    Asset Discovery Script for Apollo Pharmacy APG-01 BT.
.DESCRIPTION
    Scans Windows Registry for paired Bluetooth devices to identify the vulnerable
    Apollo Pharmacy Blood Glucose Monitoring System (APG-01 BT).
#>

Write-Host "[+] Initiating Bluetooth Asset Discovery for APG-01 BT..." -ForegroundColor Cyan

$RegPath = "HKLM:\SYSTEM\CurrentControlSet\Enum\BLE"
$VulnerableDeviceName = "APG-01"
$FoundDevices = @()

if (Test-Path $RegPath) {
    # Iterate through all BLE device keys
    Get-ChildItem -Path $RegPath -ErrorAction SilentlyContinue | ForEach-Object {
        $DeviceKey = $_
        # Check subkeys for device friendly names or hardware IDs
        Get-ChildItem -Path $DeviceKey.PSPath -ErrorAction SilentlyContinue | ForEach-Object {
            $SubKey = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
            
            # Check FriendlyName or Device Description for the vulnerable model
            if ($SubKey.FriendlyName -like "*$VulnerableDeviceName*" -or $SubKey.DeviceDesc -like "*$VulnerableDeviceName*") {
                $FoundDevices += [PSCustomObject]@{
                    DeviceName = $SubKey.FriendlyName
                    DevicePath  = $DeviceKey.Name
                    Status      = "VULNERABLE DETECTED"
                }
            }
        }
    }
}

if ($FoundDevices.Count -gt 0) {
    Write-Host "[!] WARNING: Vulnerable Apollo Pharmacy devices found:" -ForegroundColor Red
    $FoundDevices | Format-Table -AutoSize
    
    # Optional: Create a Windows Event Log entry for SOC visibility
    $EventSource = "SecurityArsenal-IR"
    if (![System.Diagnostics.EventLog]::SourceExists($EventSource)) {
        [System.Diagnostics.EventLog]::CreateEventSource($EventSource, "System")
    }
    $Message = "Vulnerable medical device detected: Apollo Pharmacy APG-01 BT. Immediate firmware update required."
    Write-EventLog -LogName System -Source $EventSource -EntryType Warning -EventId 16901 -Message $Message
} else {
    Write-Host "[-] No vulnerable Apollo Pharmacy APG-01 BT devices found in local Bluetooth registry." -ForegroundColor Green
}

Remediation

Immediate Actions:

  1. Physical Security & Proximity Controls: Restrict physical access to areas where these devices are deployed. Since the attack vector requires Bluetooth proximity, ensuring devices are only operated in secure, non-public areas reduces the risk of passive sniffing.

  2. Asset Inventory: Use the provided PowerShell script or manual checks to identify all instances of Model APG-01 BT running firmware version 0x0110_v1.1.0.

  3. Network Segmentation: Ensure that if these devices interface with a central gateway or workstation, they are isolated on a dedicated VLAN or separate network segment to prevent lateral movement if the connecting host is compromised.

Patching and Vendor Coordination:

  • Firmware Update: Contact Apollo Pharmacy immediately to inquire about the availability of a firmware patch that addresses CVE-2026-50034 and CVE-2026-52866. Do not rely on encryption applied at the application layer if the device transmits cleartext at the Bluetooth stack level.
  • Mitigation: If a patch is not immediately available, evaluate disabling Bluetooth functionality on the device (if possible for manual recording) or replacing the units with alternative medical devices that support Bluetooth Secure Connections (BR/EDR) or LE Secure Connections with strong encryption.

References:

  • CISA ICS Medical Advisory: ICSMA-26-169-01
  • Vendor: Apollo Pharmacy

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemmedical-iotcve-2026-50034cve-2026-52866

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action