A high-severity vulnerability has been identified in the was RemoteClinic software platform, which could allow an unauthenticated attacker to gain unauthorized access to the system's underlying database. Successful exploitation could lead to the exposure, modification, or deletion of sensitive patient health information, posing a significant risk to data confidentiality and integrity. Organizations are urged to apply the vendor-provided security updates immediately to mitigate this critical threat.

The vulnerability is an unauthenticated SQL injection flaw in the patient portal's appointment scheduling API endpoint. An unauthenticated remote attacker can send a specially crafted HTTP request containing malicious SQL queries to this endpoint. Due to improper input sanitization, the application directly incorporates this user-supplied input into a database query, allowing the attacker to bypass authentication controls, exfiltrate sensitive data from the database, modify records, or potentially achieve remote code execution depending on the database configuration.

This vulnerability is rated as High severity with a CVSS score of 7.3. The primary business impact is the potential for a significant data breach involving Protected Health Information (PHI). Exploitation could lead to severe regulatory penalties under frameworks like HIPAA, substantial financial loss, and irreparable reputational damage. The compromise of patient data would erode patient trust and could result in legal action, directly impacting the organization's operational and financial stability.

Immediate Action: The primary remediation is to apply the security updates released by the vendor across all affected instances of RemoteClinic immediately. Prioritize patching for systems that are exposed to the internet. After patching, it is crucial to review access and application logs for any signs of compromise that may have occurred before the patch was applied.

Proactive Monitoring: Security teams should actively monitor for exploitation attempts. This includes analyzing web server and application logs for suspicious requests to the appointment scheduling API endpoint, specifically looking for SQL keywords (e.g., UNION, SELECT, ' OR 1=1, --). Implement alerts for a high volume of database errors or unusual data access patterns originating from the web application server.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL injection attacks. If possible, restrict network access to the affected application to only trusted IP addresses and internal networks until patching can be completed.

Public Exploit Available: false

Given the High severity rating (CVSS 7.3) and the critical risk of a patient data breach, this vulnerability requires immediate attention. Although CVE-2025-9772 is not currently on the CISA KEV list, organizations should treat it with the highest priority due to the severe potential business impact. We strongly recommend that all organizations using the affected software apply the vendor-provided patches without delay. In parallel, security teams must enhance monitoring for indicators of compromise and deploy compensating controls, such as a WAF, to provide an additional layer of defense.