A high-severity vulnerability has been discovered in the QOCA aim AI Medical Cloud Platform, which allows an authenticated attacker to upload malicious files. Successful exploitation could lead to the execution of arbitrary code, resulting in a complete compromise of the server, theft of sensitive medical data, and disruption of critical services.

This vulnerability is an Arbitrary File Upload flaw within the QOCA aim AI Medical Cloud Platform. The application fails to properly validate the type and content of files uploaded by authenticated users. An attacker with valid credentials can exploit this by crafting a malicious file, such as a web shell (e.g., a PHP or ASPX script), and uploading it to a web-accessible directory on the server. By subsequently accessing the uploaded file's URL, the attacker can execute arbitrary commands on the server with the privileges of the web service account, leading to full Remote Code Execution (RCE).

This vulnerability is rated as High severity with a CVSS score of 8.8. Exploitation could have severe consequences for the organization, including a significant breach of sensitive Protected Health Information (PHI), which would trigger regulatory penalties (e.g., under HIPAA) and cause major reputational damage. An attacker could disrupt critical medical operations, manipulate or steal patient data, and use the compromised server as a pivot point to attack other systems within the internal network. The potential for complete system takeover poses a direct threat to data confidentiality, integrity, and availability.

Immediate Action: All organizations using the affected QOCA platform must apply the security updates provided by Quanta Computer immediately. Before patching, review web server and application access logs for any suspicious file upload events (e.g., files with extensions like .php, .jsp, .aspx) or unusual requests to non-standard files that may indicate a prior compromise.

Proactive Monitoring: Implement enhanced monitoring to detect potential exploitation attempts.

• Log Analysis: Scrutinize web server logs for POST requests that upload files with executable extensions to unusual locations. Monitor for subsequent GET requests to these files.
• File Integrity Monitoring (FIM): Deploy FIM on web server directories to generate alerts for the creation of new, unauthorized files.
• Network Traffic Analysis: Monitor for anomalous outbound connections from the web server, which could indicate a web shell communicating with an attacker's command-and-control (C2) server.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Web Application Firewall (WAF): Configure WAF rules to strictly enforce file type restrictions, allowing only necessary file types (e.g., .jpg, .pdf) and blocking executable script extensions.
• File System Permissions: Ensure the directory used for file uploads is configured with no-execute permissions to prevent the server from running any uploaded scripts.
• Access Control: Restrict access to the file upload functionality to only trusted and necessary user roles.

Public Exploit Available: false

Given the high severity (CVSS 8.8) of this vulnerability and the critical nature of the data handled by this medical platform, immediate remediation is strongly recommended. Organizations must prioritize the deployment of vendor-supplied patches to all affected systems to prevent a potential server compromise and data breach. Although CVE-2025-15240 is not currently on the CISA KEV list, its potential for enabling remote code execution makes it a highly attractive target. Proactive monitoring for indicators of compromise should be implemented alongside patching efforts to ensure systems have not already been compromised.