Full Report
CERT Polska has received reports about 8 vulnerabilities found in CGM CLININET and CGM NETRAAD software.
Analysis Summary
# Vulnerability: Multiple Flaws in CGM CLININET and CGM NETRAAD
## CVE Details
- **CVE-2025-10350**: SQL Injection (CWE-89) | Score: [Not provided, Critical-level impact]
- **CVE-2025-30035**: Missing Authentication for Critical Function (CWE-306)
- **CVE-2025-30042**: Use of Client-Side Authentication (CWE-603)
- **CVE-2025-30044**: OS Command Injection (CWE-78)
- **CVE-2025-30062**: SQL Injection (CWE-89)
- **CVE-2025-58402**: IDOR / Authorization Bypass via User-Controlled Key (CWE-639)
- **CVE-2025-58405**: Missing Clickjacking Protection (CWE-1021)
- **CVE-2025-58406**: Missing HTTP Security Headers (CWE-693)
## Affected Systems
- **Products**: CGM CLININET and CGM NETRAAD
- **Versions**:
- **NETRAAD**: All versions before 7.9.0
- **CLININET**: All versions before 2025.MS4 (specific flaws patched in MS2 and MS3 as noted below)
- **Configurations**: Systems using the `imageserver` module (NETRAAD) or smart card authentication (CLININET).
## Vulnerability Description
This advisory covers 8 distinct vulnerabilities ranging from injection flaws to broken authentication:
- **Injection Flaws**: SQL Injection exists in NETRAAD's `imageserver` C-FIND queries and CLININET's `CheckUnitCodeAndKey.pl`. OS Command Injection exists in several `.pl` utility endpoints in CLININET due to insufficient parameter normalization.
- **Authentication/Authorization**: One flaw allows administrative password changes without current passwords; another permits access via smart card certificate numbers without the physical card or private key. Additionally, an Insecure Direct Object Reference (IDOR) allows users to view others' messages by modifying `MessageID`.
- **UI/Web Security**: Lack of security headers (X-Frame-Options, etc.) makes the application susceptible to clickjacking and MIME sniffing.
## Exploitation
- **Status**: Not currently reported as exploited in the wild; no public PoC provided in the advisory.
- **Complexity**: Low to Medium (many flaws involve simple parameter manipulation).
- **Attack Vector**: Network (Remote).
## Impact
- **Confidentiality**: **High** - Unauthorized access to medical databases, messages, and attachments.
- **Integrity**: **High** - Ability to run OS commands and modify administrative passwords.
- **Availability**: **High** - Potential for database disruption or system-level compromise.
## Remediation
### Patches
Users should update to the following versions or newer:
- **CGM NETRAAD**: Version **7.9.0**
- **CGM CLININET**:
- Version **2025.MS2** (Patches CVE-2025-30042, 30044, 30062)
- Version **2025.MS3** (Patches CVE-2025-58405, 58406)
- Version **2025.MS4** (Patches CVE-2025-30035, 58402)
### Workarounds
No specific workarounds were provided. Immediate patching is recommended given the critical nature of medical data handled by these systems.
## Detection
- **Indicators of Compromise**:
- Unusual SQL syntax in logs related to `imageserver` or `CheckUnitCodeAndKey.pl`.
- Unexpected administrative password change events.
- Sequential access of `MessageID` parameters in web server access logs.
- **Detection methods**: Audit web server logs for calls to `/cgi-bin/CliniNET.prd/utils/` containing shell metacharacters.
## References
- **Vendor Advisory**: [https://cert.pl/en/posts/2026/03/vulnerabilities-in-cgm/](https://cert.pl/en/posts/2026/03/vulnerabilities-in-cgm/)
- **CVE Mitre**: [https://www.cve.org/CVERecord?id=CVE-2025-10350](https://www.cve.org/CVERecord?id=CVE-2025-10350)
- **CWE Definitions**: [https://cwe.mitre.org/data/definitions/89.html](https://cwe.mitre.org/data/definitions/89.html)