News

Positive Technologies expert helps fix vulnerability in Garmin Connect fitness app

Garmin, the maker of smartwatches and navigation devices, has patched a vulnerability in its Garmin Connect fitness tracking app discovered by PT SWARM researcher Artem Kulakov. Owners of nearly 300 different Garmin device models who had installed the app on Android smartphones could have been at risk. If successful, an attacker could have stolen users' health and workout data. That information could potentially be used for further unlawful activity, such as revealing a victim's location.

Garmin Connect is one of the most popular fitness apps: it has been downloaded more than 10 million times from Google Play. Nearly 300 Garmin device models support the app.
 

The security issue PT-2025-415691 (BDU:2025-08843) has a CVSS 4.0 score of 6.9. The SQL injection vulnerability2 affected Garmin Connect 5.14. Potential victims included owners of Garmin smartwatches, fitness trackers, bike computers, and GPS handheld navigators.

If successful, an attacker could have gained access to a user's physical characteristics—from weight to heart rate—as well as route information from running and cycling workouts. Such data could be used to physically stalk, coerce the victim or their family, or deliver targeted advertising based on a user's specific metrics.
 

1 The vulnerability has been registered on the dbugs portal, which aggregates data on vulnerabilities in software and hardware from vendors around the world. 

2 A vulnerability that lets an attacker run malicious Structured Query Language (SQL) code to gain unauthorized access to data.

"To exploit this vulnerability, an attacker would first need to develop a malicious application that, once installed on the user's device, could intercept data collected by Garmin Connect. To persuade a victim to install it, the attacker could disguise the malicious app as a game or another seemingly harmless application."

Artem Kulakov
Artem KulakovSenior Mobile Application Security Researcher, Positive Technologies

Garmin was notified of a vulnerability under a responsible disclosure policy and has released an update. To remediate the issue, users should update the app to version 5.18 or higher as soon as possible. The Positive Technologies expert also reminded users to download smartphone apps only from official stores to reduce the risk of personal data leaks and other adverse consequences.

This is not the first such issue discovered by Positive Technologies experts. In May 2025, Alexey Solovyov, Head of the Web Application Security Expertise, and Yan Chizhevsky, a specialist in the same department, helped fix multiple flaws in the Russian NetCat CMS, including an SQL injection vulnerability (BDU:2024-06394). Earlier, in the summer of 2024, Alexey Solovyov found similar vulnerabilities in the Pandora FMS infrastructure monitoring software (CVE-2023-44090 and CVE-2023-44091), and in the Cacti monitoring system (CVE-2023-49085; BDU:2024-01113). The vulnerabilities in these three products could have been used as part of an attack chain leading to arbitrary code execution on a server.

SQL code injection vulnerabilities can be detected at the product development stage with the help of a statistical code analysis tool such as PT Application Inspector.

For up-to-date security information, visit the dbugs portal, which aggregates vulnerability data and vendor recommendations for software and hardware from vendors around the world.

Share link