An authenticated remote code execution vulnerability in OpenMRS Core allows users with Manage Concepts privileges to execute arbitrary Java code via malicious Velocity template expressions.

The application evaluates database-stored criteria as Velocity templates without adequate sandboxing; an authenticated user with "Manage Concepts" privileges can inject and execute arbitrary code.

An attacker with modest privileges can escalate to full system access, potentially exposing highly sensitive electronic medical records. A CVSS score of 9.1 underlines the severity of this privilege escalation and execution risk.

Immediate Action: Upgrade to OpenMRS Core version 2.7.9 or 2.8.6 to address the template evaluation flaw.

Proactive Monitoring: Audit recent changes to concept reference ranges and monitor for unusual Java object instantiation or unauthorized service layer calls.

Compensating Controls: Restrict administrative privileges to a minimal set of trusted users and implement strict code review processes for any configuration changes.

Public Exploit Available: false

Given the sensitivity of data handled by OpenMRS, this vulnerability must be remediated immediately. Administrators should upgrade to the specified versions to prevent unauthorized code execution.