A high-severity SQL Injection vulnerability has been discovered in multiple Clinic products developed by Changing. This flaw allows a remote, unauthenticated attacker to bypass security measures and directly access the underlying database, potentially leading to the theft of sensitive patient information and other confidential data.

The Clinic Image System is vulnerable to unauthenticated SQL Injection. An attacker can send specially crafted input to the application, which is then incorrectly processed and executed as a SQL command. This allows a remote attacker, without needing any login credentials, to manipulate the database to extract, modify, or delete sensitive information, effectively bypassing all application-level security controls.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to a significant data breach, exposing Protected Health Information (PHI), patient records, and other confidential data. The consequences include severe reputational damage, loss of patient trust, and substantial financial penalties from regulatory non-compliance (e.g., HIPAA). The integrity of critical medical data is also at risk, as an attacker could potentially alter or delete records, impacting patient care and operations.

Immediate Action:

• Apply Patches: Immediately deploy the security patches provided by the vendor across all affected systems to resolve the vulnerability.
• Review Access Controls: Conduct a thorough review of database user permissions. Ensure the application's service account adheres to the principle of least privilege and only has the absolute minimum permissions required for its operation.
• Enable Logging: Activate and enhance database query logging to capture all executed commands, providing visibility for forensic analysis and future threat hunting.

Proactive Monitoring:

• Monitor web application and database logs for suspicious queries containing SQL keywords (UNION, SELECT, SLEEP) or syntax (--, ', ;).
• Analyze network traffic for unusual outbound data flows from the database server, which could indicate data exfiltration.
• Implement alerts for repeated failed access attempts or unusual error messages from the application, which may signal an attacker probing for the vulnerability.

Compensating Controls:

• Deploy a Web Application Firewall (WAF) with a strict ruleset configured to detect and block SQL injection attack patterns.
• Implement network segmentation to isolate the database servers, restricting access to only the specific application servers that require it.
• Regularly perform vulnerability scans and penetration tests to identify and remediate similar security weaknesses.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the critical nature of the data at risk, we strongly recommend that all organizations using the affected Clinic products prioritize the immediate application of the vendor-supplied patches. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, the potential for a severe data breach warrants urgent action. Organizations should treat this as a critical priority and implement the recommended remediation and monitoring controls without delay to mitigate the risk of compromise.