CVE-2021-35387 is a high-severity SQL Injection vulnerability identified in Hospital Management System version 4.0, specifically within the file hospital/hms/admin/view-patient.php. SQL Injection (CWE-89) vulnerabilities occur when untrusted input is improperly sanitized and directly incorporated into SQL queries, allowing attackers to manipulate the database queries executed by the application. In this case, the vulnerability allows an attacker with at least some level of privileges (PR:L - Privileges Required: Low) to execute arbitrary SQL commands remotely (AV:N - Attack Vector: Network) without requiring user interaction (UI:N). The vulnerability affects confidentiality, integrity, and availability (C:H/I:H/A:H) of the system, meaning an attacker could exfiltrate sensitive patient data, modify or delete records, or disrupt system operations. The CVSS 3.1 base score is 8.8, reflecting the high impact and relatively low complexity of exploitation. Although no known exploits are currently reported in the wild, the presence of this vulnerability in a hospital management system is critical due to the sensitivity of healthcare data and the essential nature of healthcare services. The lack of vendor or product details and absence of available patches increases the risk, as organizations may be unaware or unable to remediate promptly. The vulnerability was reserved in June 2021 and published in October 2022, indicating it has been known for some time, but the absence of patch links suggests remediation may not be widely available or communicated yet.

For European organizations, particularly healthcare providers using Hospital Management System v4.0 or similar vulnerable platforms, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive patient health information, violating GDPR and other data protection regulations, resulting in legal and financial penalties. Data integrity could be compromised, leading to incorrect patient records, which may cause medical errors and endanger patient safety. Availability impacts could disrupt hospital operations, delaying critical care and emergency responses. The reputational damage from a breach could erode patient trust and lead to long-term financial consequences. Given the critical role of healthcare infrastructure in Europe and the increasing targeting of healthcare by cybercriminals and nation-state actors, this vulnerability could be leveraged in targeted attacks or ransomware campaigns. The lack of known exploits does not diminish the urgency, as attackers may develop exploits given the publicly available vulnerability details.

European healthcare organizations should immediately conduct an inventory to identify any deployments of Hospital Management System v4.0 or related vulnerable software components. Since no official patches are currently linked, organizations should implement compensating controls such as: 1) Applying strict input validation and parameterized queries or prepared statements in the affected application code to prevent SQL Injection. 2) Employing Web Application Firewalls (WAFs) configured to detect and block SQL Injection attempts targeting the vulnerable endpoint. 3) Restricting access to the admin/view-patient.php page to trusted IP addresses and enforcing strong authentication and authorization controls to limit privilege escalation. 4) Monitoring database and application logs for unusual query patterns or access anomalies indicative of exploitation attempts. 5) Segmentation of the hospital network to isolate critical systems and minimize lateral movement in case of compromise. 6) Engaging with the software vendor or community to obtain or develop patches or updates. Additionally, organizations should review and enhance incident response plans to quickly address potential exploitation scenarios.