CVE-2025-3980 is a medium-severity vulnerability identified in version 1.0 of the Internet Doctor Workstation System developed by wowjoy 浙江湖州华卓信息科技有限公司. The vulnerability arises from improper authorization controls in the system's API endpoint /v1/prescription/list. This flaw allows an unauthenticated remote attacker with low privileges (PR:L) to access or manipulate prescription listing data without proper authorization checks. The vulnerability does not require user interaction (UI:N) and can be exploited over the network (AV:N) with low attack complexity (AC:L). The impact is limited primarily to confidentiality (VC:L), with no direct impact on integrity or availability. The vendor has not responded to early disclosure attempts, and no patches or mitigations have been publicly released. Although no known exploits are currently in the wild, the public disclosure of the vulnerability increases the risk of exploitation. The system is likely used in healthcare environments for managing prescriptions and doctor workstation operations, making unauthorized access to prescription data a significant privacy and compliance concern. The vulnerability's CVSS 4.0 score is 5.3, reflecting a medium risk level due to the potential exposure of sensitive medical data through improper authorization mechanisms.

For European organizations, particularly healthcare providers using the Internet Doctor Workstation System or similar platforms, this vulnerability poses a risk to patient confidentiality and data privacy. Unauthorized access to prescription data could lead to exposure of sensitive health information, violating GDPR and other data protection regulations. This could result in legal penalties, loss of patient trust, and reputational damage. While the vulnerability does not directly affect system integrity or availability, the unauthorized disclosure of medical prescriptions can facilitate fraud, prescription abuse, or other malicious activities. Healthcare institutions relying on this system may face operational disruptions if they need to take the system offline to mitigate risks. Additionally, the lack of vendor response and absence of patches complicate remediation efforts, increasing the window of exposure. Given the critical nature of healthcare data, even a medium-severity vulnerability warrants prompt attention to prevent escalation or chaining with other vulnerabilities.

1. Immediate network-level controls: Restrict access to the Internet Doctor Workstation System's API endpoints, especially /v1/prescription/list, using firewall rules or network segmentation to limit exposure to trusted internal networks only. 2. Implement additional authorization checks: Deploy a reverse proxy or API gateway with strict access control policies to enforce proper authorization before requests reach the vulnerable endpoint. 3. Monitor and log access: Enable detailed logging and real-time monitoring of API access to detect anomalous or unauthorized attempts to access prescription data. 4. Conduct internal audits: Review user roles and permissions within the system to ensure least privilege principles are applied, minimizing the impact if exploitation occurs. 5. Engage with the vendor or consider alternative solutions: Since the vendor has not responded, organizations should evaluate the risk of continued use and consider migrating to more secure platforms with active security support. 6. Prepare incident response plans: Develop and test procedures to respond to potential data breaches involving prescription data, including notification protocols compliant with GDPR. 7. Apply compensating controls: Use encryption at rest and in transit for prescription data and consider multi-factor authentication for system access to reduce risk from compromised credentials.