CVE-2025-10350 is an SQL Injection vulnerability classified under CWE-89 affecting the imageserver module of CGM NETRAAD software versions before 7.9.0. The flaw occurs when the imageserver improperly sanitizes input in C-FIND queries, which are part of the DICOM protocol used in PACS (Picture Archiving and Communication Systems) for querying medical imaging data. An attacker connected to the PACS network with low privileges can craft malicious C-FIND requests that inject SQL commands, allowing unauthorized access to the underlying database. This database contains sensitive patient imaging data and information processed by CGM CLININET software, which is integrated with NETRAAD. The vulnerability does not require user interaction but does require the attacker to have network access to the PACS environment and some level of privileges (low). The CVSS 4.0 vector indicates attack vector as adjacent network (AV:A), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H, I:H, A:L). Although no exploits have been reported in the wild, the vulnerability poses a significant risk due to the sensitive nature of healthcare data and the critical role of PACS in medical workflows. The lack of available patches at the time of reporting necessitates immediate compensating controls.

The exploitation of this SQL Injection vulnerability can lead to unauthorized disclosure, modification, or deletion of sensitive medical imaging data stored in the CGM NETRAAD database. This compromises patient confidentiality and can disrupt clinical operations by affecting data integrity and availability. Attackers could potentially escalate privileges or pivot to other systems within the healthcare network, increasing the scope of impact. Given the critical role of PACS in diagnostics and treatment, any disruption or data breach can have severe consequences on patient care and regulatory compliance. Healthcare organizations worldwide using CGM NETRAAD are at risk of data breaches, reputational damage, legal penalties, and operational downtime.

1. Immediately upgrade CGM NETRAAD to version 7.9.0 or later once available to apply the official patch addressing this vulnerability. 2. Until patching is possible, implement strict network segmentation to isolate PACS systems from general network access, limiting exposure to trusted personnel only. 3. Employ network-level access controls and monitoring to detect and block anomalous C-FIND queries or unusual database access patterns. 4. Conduct regular audits of PACS logs to identify suspicious activity indicative of SQL Injection attempts. 5. Use Web Application Firewalls (WAFs) or database activity monitoring tools capable of detecting and blocking SQL Injection payloads targeting the imageserver module. 6. Enforce the principle of least privilege for all PACS users and services to minimize the impact of compromised credentials. 7. Coordinate with CGM support for any interim mitigation guidance and monitor for updates or exploit disclosures.