CVE-2025-3365 is a critical security vulnerability identified in version 3.0 of the OnlineSuite product developed by B. Braun Melsungen AG. The vulnerability is classified as CWE-23, which corresponds to a relative path traversal flaw. This type of vulnerability arises when an application fails to properly sanitize user-supplied input that is used to construct file paths, allowing an attacker to manipulate the file path to access files and directories outside the intended scope. In this case, the missing protection against path traversal enables an unauthenticated remote attacker to access arbitrary files on the server hosting the OnlineSuite application. The CVSS v3.1 base score of 9.8 (critical) reflects the high impact and ease of exploitation: the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and affects confidentiality, integrity, and availability (C:H/I:H/A:H). Exploiting this vulnerability could allow attackers to read sensitive configuration files, credentials, or other critical data, modify files to inject malicious code, or disrupt service availability. Although no known exploits are currently reported in the wild, the severity and straightforward exploitation potential make this a significant threat. The lack of available patches at the time of publication further increases risk for affected users. Given the nature of the vulnerability, it is likely that attackers could craft HTTP requests with specially crafted path traversal sequences (e.g., ../) to escape the intended directory and access arbitrary files on the server filesystem.

For European organizations using B. Braun's OnlineSuite version 3.0, this vulnerability poses a severe risk. OnlineSuite is a healthcare-related software platform, and B. Braun is a major medical technology company headquartered in Germany, with a strong presence across Europe. Compromise of this system could lead to unauthorized access to sensitive patient data, intellectual property, and internal operational files, violating GDPR and other data protection regulations. The integrity and availability impacts could disrupt healthcare operations, potentially affecting patient safety and care delivery. Furthermore, exposure of credentials or configuration files could facilitate further lateral movement or persistent compromise within healthcare provider networks. The criticality of healthcare infrastructure in Europe, combined with stringent regulatory requirements, means that exploitation of this vulnerability could result in significant financial penalties, reputational damage, and operational disruptions. The fact that no authentication is required and no user interaction is needed makes this vulnerability particularly dangerous in a healthcare environment where uptime and data confidentiality are paramount.

Immediate mitigation steps include restricting external access to the OnlineSuite application through network segmentation and firewall rules to limit exposure. Organizations should implement web application firewalls (WAFs) with custom rules to detect and block path traversal patterns such as '../' sequences in URL parameters. Monitoring and logging access to sensitive files and directories can help detect exploitation attempts early. Since no official patch is currently available, organizations should engage with B. Braun to obtain timelines for remediation and consider temporary compensating controls such as disabling vulnerable features or restricting file system permissions to minimize the impact of potential exploitation. Additionally, conducting thorough security assessments and penetration testing focused on path traversal and input validation can identify other potential weaknesses. Finally, organizations should prepare incident response plans specific to this vulnerability to rapidly contain and remediate any detected exploitation.