CVE-2025-50594 is a security vulnerability identified in the Danphe Health Hospital Management System EMR version 3.2, specifically within the SecuritySettingsController.cs file located in the /Code/Websites/DanpheEMR/Controllers/Settings/ directory. This vulnerability allows an attacker to reset any user account password without proper authorization. The flaw likely stems from insufficient access control or improper validation in the password reset functionality, enabling unauthorized actors to manipulate the password reset process and gain control over arbitrary user accounts. Given that this is an Electronic Medical Record (EMR) system used in hospital management, the vulnerability poses a significant risk to the confidentiality and integrity of sensitive patient and hospital data. The absence of a CVSS score indicates that the vulnerability has not yet been fully assessed or scored, and no known exploits are currently reported in the wild. However, the ability to reset any account password without authentication suggests a critical security weakness that could be exploited to gain unauthorized access to the system, potentially leading to data breaches, unauthorized data modification, or disruption of hospital operations.

For European organizations, particularly hospitals and healthcare providers using the Danphe Health Hospital Management System EMR, this vulnerability could have severe consequences. Unauthorized password resets could allow attackers to impersonate legitimate users, including medical staff and administrators, leading to unauthorized access to sensitive patient health information, violation of GDPR regulations, and potential patient safety risks. The compromise of EMR systems can disrupt hospital workflows, delay patient care, and damage organizational reputation. Additionally, healthcare data is a high-value target for cybercriminals, increasing the risk of ransomware attacks or data theft. The vulnerability's exploitation could also lead to regulatory penalties under European data protection laws due to inadequate protection of personal health information.

To mitigate this vulnerability, organizations should immediately audit and restrict access to the password reset functionality within the Danphe Health EMR system. Implement strict access controls and ensure that password reset operations require proper authentication and authorization checks. Employ multi-factor authentication (MFA) for all administrative and user accounts to reduce the risk of unauthorized access. Conduct a thorough code review and patch the SecuritySettingsController.cs to validate all inputs and enforce role-based access control. If a patch from the vendor becomes available, prioritize its deployment. Additionally, monitor system logs for unusual password reset activities and establish incident response procedures to quickly address potential exploitation. Training staff to recognize phishing or social engineering attempts that could leverage this vulnerability is also recommended.