CVE-2025-4596 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the Asseco AMDX system, a platform used for processing and managing medical records. The vulnerability arises because the system improperly validates user permissions when handling GET request parameters that specify document IDs. Authenticated users can manipulate these parameters to access medical files belonging to other users without proper authorization checks. This flaw compromises the confidentiality of sensitive medical data, potentially exposing private health information. The vulnerability does not require elevated privileges beyond being logged in, nor does it require user interaction, making it easier to exploit remotely over the network. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, and no user interaction. The issue has been addressed and fixed in version 6.09.01.62 of the AMDX product. There are currently no known exploits in the wild. The vulnerability was assigned by CERT-PL and publicly disclosed in January 2026. Given the critical nature of medical data, unauthorized access could lead to privacy violations, regulatory non-compliance, and reputational damage for affected organizations.

For European organizations, particularly those in the healthcare sector using Asseco AMDX, this vulnerability poses a significant risk to patient data confidentiality. Unauthorized access to medical records can lead to breaches of GDPR and other data protection regulations, resulting in legal penalties and loss of trust. The exposure of sensitive health information could also facilitate identity theft, insurance fraud, or targeted phishing attacks. Since the vulnerability requires only authenticated access, insider threats or compromised user accounts could be leveraged to exploit this flaw. The impact extends beyond individual patients to institutional reputations and operational integrity. Healthcare providers may face increased scrutiny and potential financial liabilities. Additionally, the breach of medical data could disrupt healthcare services if trust in the system is undermined.

Organizations should promptly upgrade Asseco AMDX to version 6.09.01.62 or later, where the authorization checks have been properly implemented. Until the patch is applied, it is critical to enforce strict access controls and monitor user activities for anomalous access patterns to medical records. Implement multi-factor authentication (MFA) to reduce the risk of compromised credentials being used to exploit this vulnerability. Conduct regular audits of user permissions and restrict access to medical files on a need-to-know basis. Network segmentation and application-layer firewalls can help limit exposure of the AMDX system to only trusted users and networks. Security teams should also review logs for unusual GET parameter manipulations and consider deploying web application firewalls (WAFs) with custom rules to detect and block unauthorized document ID tampering. Employee training on secure usage of the system and awareness of this vulnerability can further reduce risk.