| CVE ID | CVE-2025-10350 |
| Publication date | 02 March 2026 |
| Vendor | CGM |
| Product | CGM NETRAAD |
| Vulnerable versions | All before 7.9.0 |
| Vulnerability type (CWE) | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-30035 |
| Publication date | 02 March 2026 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2025.MS4 |
| Vulnerability type (CWE) | Missing Authentication for Critical Function (CWE-306) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-30042 |
| Publication date | 02 March 2026 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2025.MS2 |
| Vulnerability type (CWE) | Use of Client-Side Authentication (CWE-603) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-30044 |
| Publication date | 02 March 2026 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2025.MS2 |
| Vulnerability type (CWE) | Improper Neutralization of Special Elements used in an OS Command ('OS CommandInjection') (CWE-78) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-30062 |
| Publication date | 02 March 2026 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2025.MS2 |
| Vulnerability type (CWE) | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-58402 |
| Publication date | 02 March 2026 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2025.MS4 |
| Vulnerability type (CWE) | Authorization Bypass Through User-Controlled Key (CWE-639) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-58405 |
| Publication date | 02 March 2026 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2025.MS3 |
| Vulnerability type (CWE) | Improper Restriction of Rendered UI Layers or Frames (CWE-1021) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-58406 |
| Publication date | 02 March 2026 |
| Vendor | CGM |
| Product | CGM CLININET |
| Vulnerable versions | All before 2025.MS3 |
| Vulnerability type (CWE) | Protection Mechanism Failure (CWE-693) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received reports about 8 vulnerabilities in CGM CLININET and CGM NETRAAD software and participated in coordination of their disclosure.
The vulnerability CVE-2025-10350: SQL Injection in imageserver module when processing C-FIND queries in CGM NETRAAD software allows attacker connected to PACS to gain access to database, including data processed by CGM CLININET software. This issue affects CGM NETRAAD with imageserver module in versions before 7.9.0.
The vulnerability CVE-2025-30035: The vulnerability enables an attacker to fully bypass authentication in CGM CLININET and gain access to any active user account by supplying only the username, without requiring a password or any other credentials. Obtaining a session ID is sufficient for session takeover and grants access to the system with the privileges of the targeted user.
The vulnerability CVE-2025-30042: The CGM CLININET system provides smart card authentication; however, authentication is conducted locally on the client device, and, in reality, only the certificate number is used for access verification. As a result, possession of the certificate number alone is sufficient for authentication, regardless of the actual presence of the smart card or ownership of the private key.
The vulnerability CVE-2025-30044: In the CGM CLININET, in the endpoints /cgi-bin/CliniNET.prd/utils/usrlogstat_simple.pl, /cgi-bin/CliniNET.prd/utils/usrlogstat.pl, /cgi-bin/CliniNET.prd/utils/userlogstat2.pl, and /cgi-bin/CliniNET.prd/utils/dblogstat.pl, the parameters are not sufficiently normalized, which enables code injection.
The vulnerability CVE-2025-30062: In the CGM CLININET, in the CheckUnitCodeAndKey.pl service, the validateOrgUnit function is vulnerable to SQL injection.
The vulnerability CVE-2025-58402: The CGM CLININET application uses direct, sequential object identifiers MessageID without proper authorization checks. By modifying the parameter in the GET request, an attacker can access messages and attachments belonging to other users.
The vulnerability CVE-2025-58405: The CGM CLININET application does not implement any mechanisms that prevent clickjacking attacks, neither HTTP security headers nor HTML-based frame‑busting protections were detected. As a result, an attacker can embed the application inside a maliciously crafted IFRAME and trick users into performing unintended actions, including potentially bypassing CSRF/XSRF defenses.
The vulnerability CVE-2025-58406: The CGM CLININET application respond without essential security HTTP headers, exposing users to client‑side attacks such as clickjacking, MIME sniffing, unsafe caching, weak cross‑origin isolation, and missing transport security controls.
Credits
We thank Maciej Kazulak for the responsible report of CVE-2025-10350, CVE-2025-30035, CVE-2025-30042, CVE-2025-30044 and CVE-2025-30062 vulnerabilities.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.