CVE-2025-30041 is a critical vulnerability identified in the CGM CLININET product by CGM. The vulnerability is classified under CWE-306, which indicates a missing authentication for a critical function. Specifically, certain CGI script paths within the application—namely "/cgi-bin/CliniNET.prd/utils/userlogstat.pl", "/cgi-bin/CliniNET.prd/utils/usrlogstat.pl", and "/cgi-bin/CliniNET.prd/utils/dblogstat.pl"—expose sensitive data containing session IDs without requiring any authentication. This exposure allows an unauthenticated attacker to access session identifiers, which can be leveraged to hijack user sessions or gain unauthorized access to the system. The CVSS 4.0 base score is 9.0, reflecting a critical severity level. The vector string (CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) indicates that the attack vector is adjacent network (AV:A), with low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (VC:H, VI:H, VA:H). The scope is changed (SC:H), indicating that the vulnerability affects resources beyond the initially vulnerable component, and the impact on security requirements is high (SI:H, SA:H). The absence of authentication on these endpoints means that critical functions related to user log statistics and database log statistics can be accessed by unauthorized parties, potentially leading to session hijacking and further compromise of the healthcare environment. Given that CGM CLININET is a clinical information system, the exposure of session IDs and unauthorized access could lead to severe breaches of patient data confidentiality and integrity, as well as disruption of healthcare services.

For European organizations, particularly healthcare providers using CGM CLININET, this vulnerability poses a significant risk. Unauthorized access to session IDs can allow attackers to impersonate legitimate users, including medical staff, leading to unauthorized access to sensitive patient records and clinical data. This compromises patient privacy and violates GDPR requirements for data protection, potentially resulting in legal and financial penalties. Furthermore, attackers could manipulate or disrupt clinical workflows, impacting patient care and safety. The critical nature of the vulnerability and the high impact on confidentiality, integrity, and availability mean that exploitation could lead to widespread operational disruptions in healthcare facilities. Additionally, the exposure of session data could facilitate further attacks such as privilege escalation or lateral movement within the network. The lack of known exploits in the wild currently reduces immediate risk but does not diminish the urgency for remediation given the criticality and potential impact on healthcare operations and patient safety in Europe.

To mitigate this vulnerability, European healthcare organizations should immediately restrict access to the affected CGI script paths by implementing strong authentication and authorization controls. This includes configuring web server or application-level access controls to require user authentication before accessing these endpoints. Network segmentation should be employed to limit access to the CGM CLININET system only to trusted internal networks and authorized personnel. Monitoring and logging access to these endpoints should be enhanced to detect any unauthorized attempts. If possible, disable or remove the vulnerable scripts if they are not essential for operations. Since no patch links are currently available, organizations should engage with the vendor (CGM) for timely updates or workarounds. Additionally, session management practices should be reviewed and strengthened, including the use of secure, HttpOnly, and SameSite cookies to protect session IDs. Conducting regular security assessments and penetration testing focused on authentication mechanisms in clinical systems is recommended to identify and remediate similar issues proactively.