Skip to main content

CVE-2025-46823: CWE-862: Missing Authorization in openmrs openmrs-module-fhir2

High
VulnerabilityCVE-2025-46823cvecve-2025-46823cwe-862
Published: Thu May 29 2025 (05/29/2025, 17:56:23 UTC)
Source: CVE Database V5
Vendor/Project: openmrs
Product: openmrs-module-fhir2

Description

openmrs-module-fhir2 provides the FHIR REST API and related services for OpenMRS, an open medical records system. In versions of the FHIR2 module prior to 2.5.0, privileges were not always correctly checked, which means that unauthorized users may have been able to add or edit data they were not supposed to be able to. All implementers should update to FHIR2 2.5.0 or newer as soon as is feasible to receive a patch.

AI-Powered Analysis

AILast updated: 07/07/2025, 22:55:42 UTC

Technical Analysis

CVE-2025-46823 is a high-severity vulnerability identified in the openmrs-module-fhir2, a module that provides FHIR (Fast Healthcare Interoperability Resources) REST API services for OpenMRS, an open-source medical records system widely used in healthcare environments. The vulnerability is classified under CWE-862, which pertains to missing authorization. Specifically, in versions of the FHIR2 module prior to 2.5.0, the system failed to consistently enforce privilege checks. This flaw allows unauthorized users to add or modify medical data via the FHIR API without proper permissions. Since OpenMRS is designed to manage sensitive patient information, unauthorized data manipulation can lead to significant confidentiality and integrity breaches. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, increasing the risk of exploitation. The CVSS 4.0 base score of 8.0 reflects the critical nature of the vulnerability, highlighting high impact on confidentiality and integrity, with low attack complexity and no privileges or user interaction needed. Although no known exploits are currently reported in the wild, the potential for abuse is substantial given the sensitive nature of healthcare data and the widespread use of OpenMRS in various healthcare institutions globally. The recommended remediation is to upgrade the openmrs-module-fhir2 to version 2.5.0 or later, where the authorization checks have been properly implemented to prevent unauthorized access and modification of data.

Potential Impact

For European organizations, particularly healthcare providers, this vulnerability poses a significant risk. Unauthorized modification or addition of patient records can lead to incorrect medical treatments, diagnostic errors, and compromised patient safety. Additionally, breaches of patient data confidentiality can result in violations of the EU General Data Protection Regulation (GDPR), leading to substantial legal and financial penalties. The integrity loss of medical records undermines trust in healthcare systems and can disrupt clinical workflows. Given that OpenMRS is used in various public health institutions and NGOs across Europe, exploitation could affect a broad range of entities, from hospitals to research institutions. The remote, unauthenticated nature of the vulnerability means attackers could potentially exploit it from outside the network perimeter, increasing the threat surface. Moreover, the absence of known exploits does not diminish the urgency, as the vulnerability is straightforward to exploit and could be targeted by opportunistic attackers or advanced persistent threat actors aiming to disrupt healthcare services or steal sensitive data.

Mitigation Recommendations

European organizations using OpenMRS should prioritize upgrading the openmrs-module-fhir2 to version 2.5.0 or later immediately to apply the official patch that corrects the authorization checks. In addition to patching, organizations should implement strict network segmentation to isolate healthcare systems from general-purpose networks and the internet, reducing exposure. Deploying Web Application Firewalls (WAFs) with rules tailored to detect anomalous FHIR API requests can provide an additional layer of defense. Regular auditing and monitoring of API access logs should be instituted to detect unauthorized access attempts or suspicious modifications. Organizations should also enforce strong access control policies, including multi-factor authentication for administrative interfaces and API endpoints where feasible. Conducting security awareness training for IT staff on the importance of timely patch management and monitoring for vulnerabilities in healthcare software is critical. Finally, organizations should have an incident response plan tailored to healthcare data breaches, ensuring rapid containment and remediation if exploitation occurs.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-04-30T19:41:58.134Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 6838ab0d182aa0cae2898e23

Added to database: 5/29/2025, 6:44:29 PM

Last enriched: 7/7/2025, 10:55:42 PM

Last updated: 8/14/2025, 1:45:19 AM

Views: 21

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats