Report an incident
Back
  • About us
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy Bezpieczny telefon
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerability in Asseco Poland mMedica software
28 October 2025 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2025-9313
Publication date 28 October 2025
Vendor Asseco Poland S.A.
Product mMedica
Vulnerable versions All before 11.9.5
Vulnerability type (CWE) Authentication Bypass Using an Alternate Path or Channel (CWE-288)
Report source Report to CERT Polska

Description

CERT Polska has received a report about vulnerability in Asseco Poland S.A. mMedica software and participated in coordination of its disclosure.

The vulnerability CVE-2025-9313: An unauthenticated user can connect to a publicly accessible database using arbitrary credentials. The system grants full access to the database by leveraging a previously authenticated connection through a mmBackup application. This flaw allows attackers to bypass authentication mechanisms and gain unauthorized access to database with sensitive data.

This issue has been resolved in Asseco mMedica version 11.9.5, all versions before are vulnerable.

Vendor recommends updating the system immediately.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.