CVE-2025-30038 is a high-severity vulnerability affecting the CGM CLININET product developed by CGM. The core issue involves the unintended exposure of a session identifier through metadata stored in NTFS alternate data streams (ADS) on Windows systems. When a user downloads a file from CGM CLININET, Windows automatically attaches metadata to the file in an ADS, which in this case includes a session ID. This session ID is sensitive information that can potentially be used by an attacker to hijack or impersonate a legitimate user session. The vulnerability arises because the session ID is leaked outside the intended secure context, violating confidentiality principles. The CVSS 4.0 vector indicates the attack requires adjacent network access (AV:A), low attack complexity (AC:L), partial attack prerequisites (AT:P), high privileges (PR:H), and user interaction (UI:A). The impact on confidentiality, integrity, and availability is high, and the scope is high, meaning the vulnerability affects components beyond the vulnerable module. The vulnerability is categorized under CWE-1230, which relates to exposure of sensitive information through metadata. No known exploits are currently reported in the wild, and no patches have been released yet. The vulnerability was reserved in March 2025 and published in August 2025. The issue is rooted in the interaction between CGM CLININET’s session management and Windows’ handling of ADS metadata, which is a built-in security feature intended to mark files from untrusted sources but inadvertently leaks sensitive session information in this context.

For European organizations, especially those in the healthcare sector using CGM CLININET, this vulnerability poses a significant risk. CGM CLININET is likely used for clinical or patient data management, so exposure of session IDs could lead to unauthorized access to sensitive patient records, violating GDPR and other privacy regulations. The leak of session identifiers could enable attackers to hijack active sessions, leading to data breaches, manipulation of clinical data, or disruption of healthcare services. This could result in reputational damage, regulatory fines, and operational disruptions. Since the vulnerability requires adjacent network access and user interaction, attacks might be feasible within internal networks or through phishing campaigns. The high privileges required suggest that attackers would need some level of access already, but the session ID leak could escalate their capabilities. The exposure through NTFS ADS metadata also means that forensic investigations and file handling procedures need to account for hidden streams, complicating incident response. Overall, the vulnerability threatens confidentiality and integrity of sensitive healthcare data and could impact availability if exploited to disrupt clinical workflows.

Given the absence of an official patch, European organizations should implement immediate compensating controls. First, restrict and monitor access to internal networks where CGM CLININET is deployed to limit adjacent network attack vectors. Employ strict user privilege management to minimize high privilege accounts and enforce least privilege principles. Educate users about the risks of interacting with downloaded files and potential social engineering attacks. Implement endpoint detection and response (EDR) solutions capable of detecting unusual access or manipulation of NTFS ADS metadata. Regularly audit files downloaded from CGM CLININET for hidden ADS streams containing sensitive information and securely delete or quarantine such files. Network segmentation can help isolate CGM CLININET systems from less trusted network zones. Additionally, organizations should engage with CGM for timely updates and patches and consider temporary session management changes, such as shortening session lifetimes or implementing multi-factor authentication to reduce the impact of session ID exposure. Logging and monitoring of session activities should be enhanced to detect suspicious session hijacking attempts. Finally, review and update incident response plans to include scenarios involving metadata-based information leaks.