CVE-2025-12699

Name of the Vulnerable Software and Affected Versions ZOLL ePCR IOS application (affected versions not specified)

Description The application displays user-supplied data within a WebView without proper sanitization. Specifically, attacker-controlled strings entered into PCR fields such as run number, incident, call sign, and notes are interpreted as HTML/JavaScript when the application prints or renders the content. This allows for the injection of scripts that can read local files from the application’s runtime context. These files contain device and user data, including protected health information (PHI) and device telemetry, potentially exposing sensitive information to an attacker. The proof of concept demonstrates the ability to retrieve local file content using injected scripts.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.