CVE-2024-50590 is a vulnerability in the HASOMED Elefant medical office software caused by incorrect default permissions (CWE-276) on its installation directory (C:\Elefant1). This directory is writable by all users, allowing any local user to rename or overwrite two critical Firebird database service binaries: fbserver.exe and fbguard.exe. These services run with NT AUTHORITY\SYSTEM privileges, the highest level on Windows systems. By replacing these executables with malicious binaries and rebooting the system, an attacker can execute arbitrary code with SYSTEM privileges, effectively escalating their privileges from a standard user to full system control. The vulnerability also relates to CWE-732 (incorrect permissions on critical resources) and CWE-250 (execution with unnecessary privileges). The attack vector requires local access and low complexity but no user interaction. The CVSS v3.1 score is 7.8, reflecting high impact on confidentiality, integrity, and availability. The vulnerability affects Elefant versions prior to 24.04.00. No patches or exploits are currently publicly available, but the risk is significant given the sensitive nature of medical data and the criticality of the affected services.

For European organizations, particularly healthcare providers using HASOMED Elefant, this vulnerability poses a severe risk. Exploitation allows attackers with local access to gain SYSTEM-level privileges, enabling full control over the affected system. This can lead to unauthorized access to sensitive patient data, modification or deletion of medical records, disruption of healthcare services, and potential ransomware deployment. The compromise of medical office systems can have cascading effects on patient care and regulatory compliance, including violations of GDPR due to data breaches. The vulnerability’s ease of exploitation from local access means insider threats or attackers who gain initial footholds via phishing or other means could escalate privileges rapidly. The impact on availability is also critical, as restarting services or systems with malicious binaries can cause downtime. Overall, the vulnerability threatens confidentiality, integrity, and availability of critical healthcare IT infrastructure in Europe.

Immediate mitigation steps include restricting permissions on the Elefant installation directory (C:\Elefant1) to prevent write access by non-administrative users. Administrators should verify and correct ACLs to ensure only trusted accounts can modify service binaries. Monitoring file integrity of fbserver.exe and fbguard.exe with host-based intrusion detection systems can detect unauthorized changes. Until a vendor patch is available, consider isolating affected systems to limit local access and enforce strict user account controls and least privilege principles. Regularly audit local user accounts and remove unnecessary privileges. Implement endpoint protection solutions capable of detecting suspicious file modifications or service restarts. Once HASOMED releases a patch, promptly apply it to eliminate the vulnerability. Additionally, educate staff about the risks of local access and maintain robust physical security controls to prevent unauthorized access to medical office computers.