CVE-2025-30058 is a medium-severity SQL Injection vulnerability identified in the CGM CLININET product, specifically within the PatientService.pl service's "getPatientIdentifier" function. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89), allowing an attacker to inject malicious SQL code via the "pesel" parameter. The PESEL is a Polish national identification number, indicating that this parameter is likely used to query patient records. The vulnerability has a CVSS 4.0 base score of 6.9, with the vector AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N, meaning the attack requires adjacent network access (e.g., within the same LAN or VPN), low attack complexity, no user interaction, and low privileges (authenticated user). The impact is high on confidentiality, as the vulnerability could allow unauthorized reading of sensitive patient data. There is no known exploit in the wild and no patch currently available. The affected version is listed as "0," which likely indicates an early or initial version of the software. The vulnerability does not affect integrity or availability directly but poses a significant risk to patient data confidentiality due to potential unauthorized data disclosure via SQL injection. The lack of authentication bypass or user interaction requirements increases the risk within environments where authenticated users have access to the vulnerable service.

For European organizations, especially healthcare providers using CGM CLININET, this vulnerability poses a significant threat to patient data confidentiality. Exploitation could lead to unauthorized access to sensitive personal health information, violating GDPR regulations and potentially resulting in legal penalties and reputational damage. The use of the PESEL parameter suggests that Polish healthcare institutions are primary targets, but other European countries using CGM CLININET could also be affected. The vulnerability could facilitate data exfiltration, impacting patient privacy and trust. Although the attack requires some level of authenticated access and network proximity, insider threats or compromised credentials could enable exploitation. This risk is heightened in healthcare environments where patient data is critical and tightly regulated. Additionally, the absence of a patch increases exposure time, necessitating immediate mitigation efforts.

1. Implement strict input validation and sanitization on the "pesel" parameter to prevent SQL injection, using parameterized queries or prepared statements. 2. Restrict access to the PatientService.pl service to only trusted and authenticated users with the minimum necessary privileges. 3. Employ network segmentation and access controls to limit the ability of attackers to reach the vulnerable service, especially from outside trusted networks. 4. Monitor logs for unusual SQL query patterns or repeated failed attempts to access patient identifiers. 5. Engage with CGM to obtain or request a security patch or update addressing this vulnerability. 6. Conduct a security audit of all web services handling sensitive parameters to identify similar injection flaws. 7. Educate staff on credential security to prevent insider threats and credential compromise. 8. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block SQL injection attempts targeting the "pesel" parameter.