CVE-2025-30063 is a critical security vulnerability identified in the CGM CLININET product by CGM. The vulnerability is classified under CWE-732, which pertains to incorrect permission assignment for critical resources. Specifically, the issue involves a configuration file that contains sensitive database login credentials, including usernames and passwords, being accessible and readable by any local user on the system. This misconfiguration allows unauthorized local users to obtain database credentials without any authentication or user interaction. The CVSS 4.0 base score of 9.4 reflects the severity of this vulnerability, indicating it is critical. The attack vector is local (AV:L), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The vulnerability impacts confidentiality, integrity, and availability at a high level, with scope and impact metrics all rated high (H). Although no known exploits are currently reported in the wild, the ease of exploitation due to lack of required privileges and user interaction makes this a significant risk. The vulnerability could lead to unauthorized access to the database, potentially allowing attackers to exfiltrate sensitive patient data, modify records, or disrupt healthcare operations. Given that CGM CLININET is a healthcare information system, the exposure of database credentials poses a severe risk to patient privacy and system integrity.

For European organizations, especially healthcare providers using CGM CLININET, this vulnerability presents a critical risk. Unauthorized local users gaining access to database credentials can lead to data breaches involving sensitive patient information, violating GDPR and other data protection regulations. The compromise of database credentials can also enable attackers to manipulate clinical data, potentially impacting patient care and safety. Furthermore, attackers could disrupt healthcare services by corrupting or deleting data, leading to operational downtime. The reputational damage and regulatory penalties resulting from such breaches could be substantial. Since healthcare systems are often targeted by cybercriminals and nation-state actors, the presence of this vulnerability increases the attack surface significantly. European healthcare institutions must consider the potential for insider threats or attackers gaining local access through other means (e.g., compromised accounts or lateral movement), which could then be leveraged to exploit this vulnerability.

To mitigate CVE-2025-30063, organizations should immediately audit file system permissions on all CGM CLININET installations to ensure that configuration files containing sensitive credentials are restricted to the minimum necessary accounts, ideally only accessible by the application service account and system administrators. Implement strict access control lists (ACLs) and use operating system features such as mandatory access controls (e.g., SELinux, AppArmor) to enforce these restrictions. Employ encryption for configuration files where possible, so that even if accessed, credentials are not stored in plaintext. Additionally, rotate database credentials regularly and monitor access logs for unusual local file access patterns. Implement host-based intrusion detection systems (HIDS) to alert on unauthorized access attempts. If possible, isolate CGM CLININET systems in segmented network zones with strict local user account management policies to reduce the risk of unauthorized local access. Finally, coordinate with CGM for patches or configuration guidance, and apply any vendor updates promptly once available.