A critical vulnerability has been identified in multiple software products that use a common library for processing MFER files, a format often used in medical and research fields. This flaw allows an attacker to take complete control of a user's computer if they are tricked into opening a specially crafted malicious file. Due to the severity of this vulnerability, immediate patching is required to prevent potential system compromise and data theft.

This vulnerability is a stack-based buffer overflow within the MFER (Medical waveform Format Encoding Rules) parsing functionality of the libbiosig library. The flaw occurs when the application processes an MFER file containing a data Tag with the specific value of 133. The code responsible for handling this tag fails to properly validate the length of the associated data before copying it into a fixed-size buffer on the program's stack. An attacker can create a malicious MFER file with an oversized data payload for Tag 133, causing the buffer to overflow and overwrite adjacent memory, including the function's return address. This allows the attacker to redirect the program's execution flow to malicious code (shellcode) embedded within the file, resulting in arbitrary code execution with the permissions of the user running the application.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the affected endpoint, allowing an attacker to execute arbitrary commands. The potential business impact is severe, including theft of sensitive data (such as patient information or proprietary research), installation of persistent malware like ransomware or spyware, and using the compromised system as a pivot point for further attacks into the corporate network. For organizations in healthcare or research, the compromise of systems handling MFER files could lead to significant operational disruption, data integrity issues, and severe regulatory non-compliance penalties.

Immediate Action: Identify all systems running software that utilizes The Biosig Project libbiosig library and update them to the latest patched versions as provided by the respective software vendors. Due to the critical nature of this vulnerability, patching should be treated as an emergency change. Concurrently, security teams should begin monitoring for signs of exploitation and review access logs for any suspicious MFER file processing activity.

Proactive Monitoring:

• Log Analysis: Monitor application logs for crashes or errors related to MFER file parsing. Scrutinize endpoint logs for the opening of MFER files from untrusted sources, such as email attachments or web downloads.
• Network Traffic: Monitor for unusual outbound connections from workstations that typically process MFER files. Such connections could indicate a successful compromise and communication with an attacker's command-and-control (C2) server.
• Endpoint Detection (EDR/XDR): Deploy and monitor EDR/XDR solutions to detect suspicious process execution, memory manipulation, or child processes spawning from applications that handle MFER files.

Compensating Controls: If patching is not immediately possible, implement the following controls to reduce risk:

• User Awareness: Issue an immediate security bulletin warning users not to open or process MFER files from untrusted or unsolicited sources.
• File Scanning: Configure email gateways and web proxies to block or quarantine MFER files from external sources pending security review.
• Application Control: Use application whitelisting tools to prevent affected software from executing unknown code or creating new processes.

Public Exploit Available: false

This vulnerability represents a critical risk to the organization and must be addressed with the highest priority. The primary recommendation is to apply vendor-supplied patches to all affected systems immediately. Although CVE-2025-66048 is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its 9.8 CVSS score indicates a high likelihood of future exploitation. Organizations must act proactively to mitigate this threat before it becomes actively exploited in the wild. If patching is delayed, the compensating controls listed above must be implemented without exception to provide a layer of defense.