CVE-2025-35030 is a Cross-Site Request Forgery (CSRF) vulnerability identified in Medical Informatics Engineering's Enterprise Health software, a widely used healthcare information system. The flaw allows an unauthenticated attacker to craft malicious URLs that, when clicked by an administrative user, cause the system to perform unauthorized actions on behalf of that user. This can lead to unauthorized changes in system settings, data manipulation, or exposure of sensitive patient information. The vulnerability affects multiple recent releases (RC202303 through RC202503) and was officially fixed on April 8, 2025. The CVSS v3.1 base score is 8.1, indicating high severity, with the vector showing network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The impact primarily compromises confidentiality and integrity, with no direct availability impact. Although no known exploits are reported in the wild, the vulnerability’s nature and affected user roles make it a significant risk. The vulnerability stems from inadequate CSRF protections, such as missing or ineffective anti-CSRF tokens, allowing attackers to leverage the trust of authenticated administrative users. Given the critical role of Enterprise Health in managing sensitive medical data, exploitation could lead to serious breaches of patient privacy and unauthorized administrative control.

For European organizations, particularly healthcare providers using Enterprise Health, this vulnerability poses a significant risk to patient data confidentiality and system integrity. Successful exploitation could allow attackers to alter medical records, change system configurations, or exfiltrate sensitive information without detection. This undermines trust in healthcare IT systems and could lead to regulatory penalties under GDPR due to data breaches. The requirement for user interaction (clicking a malicious link) means phishing campaigns could be an effective attack vector. The impact is heightened in environments where administrative users have broad privileges and where multi-factor authentication or additional user verification is not enforced. Disruption of healthcare services through unauthorized administrative actions could also indirectly affect availability and patient care quality. The lack of known exploits in the wild suggests the window for proactive mitigation is still open, but the high CVSS score indicates that the vulnerability is easily exploitable and impactful.

1. Immediately apply the official patch released on April 8, 2025, for all affected versions of Enterprise Health. 2. Implement additional CSRF protections such as anti-CSRF tokens on all state-changing requests, ensuring tokens are unique per session and validated server-side. 3. Enforce strict Content Security Policy (CSP) headers to reduce the risk of malicious script execution. 4. Educate administrative users about phishing risks and the dangers of clicking unsolicited links, especially in emails. 5. Employ multi-factor authentication (MFA) for administrative accounts to reduce the risk of session hijacking. 6. Monitor logs for unusual administrative actions or access patterns that could indicate exploitation attempts. 7. Segment the network to limit access to Enterprise Health administrative interfaces only to trusted devices and networks. 8. Consider implementing user interaction confirmations for critical administrative actions to prevent silent exploitation. 9. Regularly review and update security policies and incident response plans to address CSRF and related web vulnerabilities.