CVE-2025-12921 is a medium-severity XML injection vulnerability identified in OpenClinica Community Edition versions 3.0 through 3.13. The vulnerability resides in the CRF Data Import component, specifically in the /ImportCRFData?action=confirm endpoint. The xml_file parameter, which is intended to accept XML data for importing case report forms (CRFs), lacks sufficient input validation and sanitization, allowing an attacker to inject malicious XML content. This injection can alter the structure or content of the XML data processed by the application, potentially leading to unauthorized data manipulation, corruption of clinical trial data, or disruption of data import workflows. The attack vector is remote network access without requiring authentication or user interaction, increasing the risk of exploitation. Despite early notification, the vendor has not issued patches or advisories, leaving systems exposed. The CVSS 4.0 vector indicates low complexity to exploit (AC:L), no privileges required (PR:L), no user interaction (UI:N), and partial impact on confidentiality (VC:L) but no impact on integrity or availability. No known exploits are currently observed in the wild, but public disclosure increases the risk of future exploitation. The vulnerability affects a critical component used in clinical research data management, making it a significant concern for organizations relying on OpenClinica for regulatory-compliant data collection and analysis.

For European organizations, particularly those involved in clinical research, pharmaceutical trials, and healthcare data management, this vulnerability poses a risk to the confidentiality and integrity of sensitive clinical trial data. Successful exploitation could allow attackers to inject malicious XML payloads that manipulate or corrupt case report form data, potentially invalidating research results or causing regulatory compliance issues. Disruption of data import processes could delay clinical trials or lead to erroneous conclusions. Given the sensitive nature of clinical data, breaches could also result in reputational damage and legal consequences under GDPR. The lack of vendor response and patches increases exposure time, raising the likelihood of targeted attacks. Organizations using affected OpenClinica versions without compensating controls are particularly vulnerable. The impact extends to research institutions, contract research organizations (CROs), and healthcare providers across Europe that rely on OpenClinica for data collection and management.

1. Immediately restrict network access to the /ImportCRFData?action=confirm endpoint using firewalls or application-layer access controls to limit exposure to trusted IPs or internal networks only. 2. Implement strict input validation and XML schema validation on all incoming XML data to ensure only well-formed and expected XML structures are processed. 3. Employ XML parsing libraries with secure configurations that disable external entity processing and other risky XML features to prevent injection attacks. 4. Monitor application logs and import activities for unusual or malformed XML submissions that could indicate exploitation attempts. 5. If feasible, upgrade to a newer OpenClinica version or apply vendor patches once available. 6. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block XML injection patterns targeting the vulnerable endpoint. 7. Conduct security awareness and training for staff managing clinical data imports to recognize suspicious activities. 8. Engage with OpenClinica community or vendors to advocate for timely patch releases and share threat intelligence. 9. As a temporary measure, disable or limit the use of the CRF Data Import feature if it is not critical to operations.