A critical vulnerability, identified as CVE-2025-0603, has been discovered in Callvision Healthcare's Callvision Emergency Code and potentially other products. This flaw, a severe SQL Injection, allows an unauthenticated attacker to manipulate the application's database, potentially leading to the theft, modification, or deletion of highly sensitive data. Due to its critical CVSS score of 9.8, immediate remediation is required to prevent a significant data breach.

The vulnerability is an Improper Neutralization of Special Elements used in an SQL Command, commonly known as SQL Injection. The application fails to properly sanitize user-supplied input before using it in a database query. An attacker can exploit this by crafting input that includes malicious SQL commands, which are then executed by the back-end database, allowing for both standard and blind SQL injection techniques. This could enable an attacker to bypass authentication controls, read sensitive data from the database, modify or delete data, and in some cases, execute administrative commands on the database server.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could have devastating consequences for the organization. An attacker could gain unauthorized access to and exfiltrate sensitive data, which in a healthcare context, likely includes Protected Health Information (PHI). This could lead to severe regulatory penalties (e.g., under HIPAA), significant reputational damage, and loss of customer trust. Furthermore, the ability to modify or delete data within an "Emergency Code" system could disrupt critical healthcare operations, potentially impacting patient safety.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor. Update Callvision Healthcare Callvision Emergency Code and any other affected products to the latest patched version immediately. After patching, it is crucial to monitor for any signs of exploitation that may have occurred prior to remediation by reviewing web server and database access logs for suspicious activity.

Proactive Monitoring: Implement enhanced monitoring of web application and database logs. Look for anomalous SQL queries, especially those containing keywords like UNION, SELECT, SLEEP, '--, or ' OR '1'='1'. Monitor for unusual outbound network traffic from the database server, which could indicate data exfiltration.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Deploy a Web Application Firewall (WAF) with a ruleset configured to detect and block SQL injection attempts.
• Restrict access to the application and its database at the network level, allowing connections only from trusted IP addresses.
• Ensure the application's database service account is configured with the principle of least privilege, limiting its ability to read from non-essential tables or perform destructive actions.

Public Exploit Available: false

Given the critical 9.8 CVSS score and the potential for a catastrophic data breach involving sensitive healthcare information, this vulnerability represents a severe risk to the organization. We strongly recommend that all affected Callvision Healthcare products are patched on an emergency basis. Although this CVE is not currently listed on the CISA KEV list, its critical nature makes it a prime candidate for future inclusion and a high-priority target for attackers. Immediate action to patch, monitor, and apply compensating controls is essential to protect the organization's data and operational integrity.