CVE-2025-8306 is a vulnerability classified under CWE-1220, indicating insufficient granularity of access control within the Asseco InfoMedica Plus software. This product is widely used in healthcare environments to manage both administrative and medical workflows. The flaw allows a user with low privileges to retrieve encoded passwords of all other accounts, including those of high-privilege users such as the main administrator. This occurs because the access control mechanisms do not sufficiently restrict access to sensitive credential data, exposing it to unauthorized users. The vulnerability can be exploited remotely (attack vector: adjacent network) without user interaction and with low attack complexity, but requires low privileges to start. While CVE-2025-8306 alone allows credential disclosure, it can be chained with CVE-2025-8307 to escalate privileges further, potentially leading to full system compromise. The affected versions are 4.0.0 and 5.0.0, with patches released in versions 4.50.1 and 5.38.0. No public exploits have been reported yet, but the risk remains significant due to the sensitive nature of healthcare data and critical administrative functions managed by the software. The vulnerability’s CVSS 4.0 score of 5.1 reflects a medium severity rating, considering the partial impact on confidentiality and the ease of exploitation by authenticated low privileged users. The lack of user interaction and the ability to access encoded passwords make this a serious concern for healthcare providers relying on this software.

For European healthcare organizations using affected versions of Asseco InfoMedica Plus, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive patient and administrative data. Unauthorized access to encoded passwords can lead to credential theft, enabling attackers to impersonate privileged users and gain unauthorized access to critical systems. This can disrupt healthcare operations, compromise patient privacy, and potentially lead to data breaches subject to GDPR penalties. The chained exploitation with CVE-2025-8307 could allow attackers to escalate privileges and execute arbitrary actions, increasing the risk of system manipulation, data tampering, or ransomware deployment. The impact extends beyond individual organizations to potentially affect national healthcare infrastructure, especially in countries where Asseco InfoMedica Plus is widely deployed. The medium CVSS score reflects moderate risk, but the sensitive context of healthcare elevates the operational and reputational consequences of exploitation.

Organizations should immediately verify their version of Asseco InfoMedica Plus and upgrade to versions 4.50.1 or 5.38.0 or later, where the vulnerability is fixed. Until patching is completed, restrict access to the application to trusted network segments and enforce strict role-based access controls to minimize the number of users with low privileges who can access sensitive areas. Implement network segmentation to isolate healthcare management systems from general user networks. Monitor logs for unusual access patterns or attempts to retrieve credential data. Conduct regular audits of user privileges and credentials stored within the system. Employ multi-factor authentication (MFA) for administrative accounts to reduce the risk of compromised credentials being abused. Coordinate with Asseco support for any additional security advisories or mitigations. Finally, ensure incident response plans include scenarios involving credential compromise and privilege escalation within healthcare systems.