CVE-2025-35032 is a vulnerability identified in the Medical Informatics Engineering Enterprise Health product, classified under CWE-434, which pertains to the unrestricted upload of files with dangerous types. This vulnerability allows authenticated users to upload arbitrary files without sufficient validation or restriction on file types. The severity of this vulnerability is rated as low with a CVSS 3.1 score of 3.4. The CVSS vector indicates that the attack vector is network-based (AV:N), with low attack complexity (AC:L), but requires high privileges (PR:H) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact is limited to integrity (I:L) with no impact on confidentiality (C:N) or availability (A:N). The vulnerability was fixed as of April 8, 2025, and no known exploits are currently active in the wild. The risk arises from the ability of an authenticated user to upload files that could potentially be used to alter system behavior or introduce malicious content, depending on how these files are subsequently accessed or processed by the system. Since the vulnerability requires authentication and user interaction, exploitation is somewhat constrained, but the changed scope indicates that the uploaded files could affect other components or users within the system, potentially leading to integrity issues such as unauthorized modification of data or execution of unintended actions. The lack of confidentiality and availability impact suggests that the vulnerability does not directly expose sensitive data or cause denial of service conditions. The vulnerability is relevant to healthcare environments using the Enterprise Health platform, which manages sensitive patient and operational data, making integrity protection critical.

For European organizations, particularly healthcare providers and institutions using Medical Informatics Engineering's Enterprise Health platform, this vulnerability poses a risk to the integrity of health data and system operations. While the direct confidentiality and availability impacts are low, the ability to upload arbitrary files could allow attackers with legitimate access to introduce malicious files that might be executed or processed improperly, potentially leading to data tampering or unauthorized actions within the system. This could undermine trust in electronic health records, affect patient care decisions, and complicate compliance with stringent European data protection regulations such as GDPR and the NIS Directive. The requirement for authenticated access limits exposure to insider threats or compromised user accounts, but given the sensitive nature of healthcare data, even low-severity integrity issues can have significant operational and reputational consequences. Additionally, the changed scope indicates that the vulnerability could affect multiple components or users, increasing the risk of lateral movement or broader system impact within healthcare networks.

European healthcare organizations should ensure that the Enterprise Health product is updated to the fixed version released on or after April 8, 2025. Until patching is complete, organizations should implement strict access controls to limit file upload capabilities to only trusted and necessary users. Monitoring and logging of file upload activities should be enhanced to detect any unusual or unauthorized uploads. File type validation and scanning should be enforced at the application and network levels to block potentially dangerous file types or content. Additionally, organizations should review and harden how uploaded files are accessed and processed, ensuring that execution permissions are not granted unnecessarily and that files are stored in segregated, non-executable directories. User training should emphasize the risks of uploading untrusted files and the importance of following security policies. Finally, incident response plans should be updated to include scenarios involving malicious file uploads to enable rapid detection and remediation.