CVE-2025-7735 is a high-severity SQL Injection vulnerability identified in the UNIMAX Hospital Information System. This vulnerability arises from improper neutralization of special elements used in SQL commands (CWE-89), allowing unauthenticated remote attackers to inject arbitrary SQL code. The flaw enables attackers to manipulate backend database queries without requiring any authentication or user interaction, leveraging network access to the vulnerable system. Exploitation could allow attackers to read sensitive database contents, potentially exposing confidential patient records, hospital operational data, or other critical information stored within the system. The vulnerability affects version 0 of the product, indicating an early or initial release. The CVSS 3.1 base score is 7.5, reflecting the network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high confidentiality impact (C:H) but no impact on integrity or availability. No known public exploits have been reported yet, but the vulnerability's characteristics make it a significant risk if weaponized. Given the critical nature of hospital information systems, exploitation could have severe consequences for patient privacy and healthcare operations.

For European organizations, this vulnerability poses a substantial risk to healthcare providers using the UNIMAX Hospital Information System. Unauthorized access to patient data could lead to breaches of GDPR regulations, resulting in legal penalties and reputational damage. The exposure of sensitive health information undermines patient trust and could facilitate further attacks such as identity theft or insurance fraud. Additionally, while the vulnerability does not directly affect system integrity or availability, the confidentiality breach alone is critical in the healthcare context. Hospitals and clinics relying on this system could face operational disruptions if attackers leverage the vulnerability to extract data or conduct reconnaissance for subsequent attacks. The lack of authentication requirement increases the threat level, as attackers can exploit the vulnerability remotely without needing credentials or user interaction.

To mitigate this vulnerability, European healthcare organizations should immediately assess their use of the UNIMAX Hospital Information System and identify affected versions. Since no official patches are currently available, organizations should implement compensating controls such as network segmentation to restrict access to the hospital information system only to trusted internal networks and VPNs. Deploy Web Application Firewalls (WAFs) with rules specifically designed to detect and block SQL injection attempts targeting the system. Conduct thorough input validation and parameterized query enforcement within the application if source code access or customization is possible. Monitor system logs and network traffic for unusual query patterns or unauthorized access attempts. Engage with the vendor UNIMAX to obtain timelines for patches or updates and prioritize patch deployment once available. Additionally, ensure that database accounts used by the application have the least privileges necessary to limit data exposure in case of exploitation.