Emergency medical services agencies that still use ZOLL’s ePCR iOS mobile app are being urged to immediately isolate affected devices after a newly disclosed vulnerability was found to allow attackers to read protected health information and device telemetry from within the app’s local files. The vulnerability, tracked as CVE-2025-12699 and detailed in a CISA medical advisory on February 10, 2026, affects version 2.6.7 of the application — a version the vendor decommissioned in May 2025 and has no plans to replace.

A WebView Flaw in a Retired App

The vulnerability stems from a reflected content issue inside the app’s WebView component. When the ZOLL ePCR iOS app renders or prints patient care report (PCR) fields — such as run numbers, incident names, call signs, or notes — it inserts that user-supplied text directly into a WebView without sanitizing it. If an attacker manages to embed HTML or JavaScript into those fields, the WebView will execute the code as if it were legitimate content.

In a proof of concept, researchers demonstrated that injected scripts could access and return local files stored by the app. Those files often contain sensitive data: patient identifiers, incident metadata, timestamps, device telemetry, and cached chart attachments. The proof of concept confirms arbitrary local file reads from the app’s runtime context, which, as the advisory states, would allow an attacker to access PHI or device telemetry.

The attack requires the ability to place malicious strings into PCR fields. This could happen in several ways:

  • An attacker gains physical access to a device and types or pastes the payload directly.
  • An upstream data feed — such as a dispatch integration or third-party import — is compromised or inadvertently carries tainted data.
  • A user is tricked into copying and pasting suspicious content into a field.

While the vulnerability is not exploitable remotely over the internet, these local and supply-chain attack paths make it a serious concern for any organization still running the app. CISA assigned it a CVSS v3.1 base score of 5.5, categorizing it as medium severity under the insertion of sensitive information into an externally-accessible file or directory weakness.

Immediate Risks for EMS Operations

For emergency medical services agencies, the decommissioned app creates three pressing problems.

Data exposure and compliance. Protected health information is tightly regulated. Unauthorized access or exfiltration can trigger breach notification obligations under HIPAA and similar laws. Even if exploitation seems unlikely, the existence of a verified vulnerability that allows PHI reads demands that agencies assess their exposure and act defensively. The longer vulnerable devices remain in service, the greater the regulatory and reputational risk.

Operational continuity. Many EMS workflows depend on ePCR tools for real-time patient documentation. The vendor decommissioned the ZOLL ePCR iOS application in May 2025 and stated it has no current plans to offer a replacement. Agencies cannot simply apply a patch; they must migrate to a supported platform. That transition must be planned carefully to avoid gaps in documentation during emergency responses.

Device hygiene. Because the vulnerability allows reading of locally cached files, any device that ever ran the app — even if later uninstalled — could retain sensitive data in its backups or caches. That means standard uninstallation is not enough. Agencies must sanitize devices thoroughly to eliminate residual PHI.

How We Got Here

ZOLL ePCR has been a staple in many EMS documentation suites, used on mobile devices to capture scene and patient data and sync it with back-end systems. Like many medical apps, it relied on WebView for rendering certain content. Without proper input neutralization, however, this design choice opened the door to cross-site scripting–like attacks that can escape the browser context and access local files.

The vulnerability was reported by researcher Bryan Riggins and eventually made its way through responsible disclosure to CISA, which published the advisory as part of its ongoing effort to harden medical devices and industrial control systems. The timeline reveals a difficult situation: the app was decommissioned in May 2025, well before the advisory’s February 2026 publication. It is unclear whether ZOLL was aware of the flaw when it decided to retire the product, but the end result is that users are left with only mitigations — not a fix.

Action Plan: 7 Steps for EMS and IT Teams

Agencies that have used or still host ZOLL ePCR iOS 2.6.7 should take these steps immediately.

1. Inventory every device. Use Mobile Device Management (MDM) and endpoint management tools to find all iPads and iPhones that have the app installed, including shared devices, loaners, and backup units.

2. Isolate affected devices from sensitive networks. Move devices running the app to a dedicated management VLAN or take them offline entirely. Do not let them connect to networks that carry PHI or critical enterprise systems.

3. Uninstall the app, or restrict it tightly. Remove the application through MDM. If an immediate uninstall would disrupt patient care, configure MDM policies to block the app’s file access and prevent it from rendering PCR content until it can be removed.

4. Sanitize caches and backups. Wipe all app-related caches on the device and encrypt the entire storage. Purge any iTunes, iCloud, or enterprise backups that may contain cached ePCR data. This is essential even for devices from which the app has already been removed.

5. Plan migration to a supported ePCR platform. Contact ZOLL Support for guidance on decommissioning procedures and ask about recommended alternatives. Coordinate with billing and hospital interface teams to ensure a smooth handover. The goal is to keep documentation flowing without relying on the vulnerable app.

6. Harden data ingestion pathways. Review how PCR fields are populated in your environment. If they come from dispatch integrations, third-party feeds, or manual entry, validate and neutralize any text that could be interpreted as HTML/JavaScript before it reaches a rendering component. Apply strict content security policies (CSPs) to any future ePCR clients that use web rendering.

7. Monitor and report. Search logs and field data for unusual string patterns that might indicate attempted exploitation. If you find evidence of a breach, activate your incident response plan and meet all notification requirements.

These steps align with CISA’s longstanding guidance for medical and control-system devices: minimize network exposure, isolate clinical systems behind firewalls, use secure remote access (VPN with up-to-date patches), and conduct a proper risk assessment before deploying countermeasures.

Outlook

The ZOLL ePCR vulnerability is a stark reminder that medical apps demand the same rigorous input handling as any web-facing software — even when they run exclusively on local devices. For healthcare IT buyers, the incident underscores the need to demand clear lifecycle commitments and secure coding practices from vendors. Decommissioning a product without a clear migration path can leave critical workflows stranded, and when that product handles PHI, the stakes are dangerously high.

Agencies should treat this as a case study for future procurements: require vendors to disclose WebView usage, mandate output encoding and content security policies, and build network segmentation into device deployment plans from day one. The current generation of ePCR tools is only as secure as the weakest link in the rendering pipeline. Fixing that link before an advisory is published remains the best defense.