CVE-2015-6538

Vulnerability

The login page in Epiphany Cardio Server versions 3.3, 4.0, and 4.1 fails to properly sanitize user-supplied input before incorporating it into an LDAP query. This allows an attacker to inject arbitrary LDAP syntax via a crafted URL, leading to LDAP injection (CWE-90). The vulnerability is present in the authentication mechanism and does not require any special configuration to be reachable [1].

Exploitation

An attacker with network access to the Cardio Server can exploit this vulnerability without authentication. By sending a specially crafted HTTP request to the login page URL containing LDAP injection payloads, the attacker can manipulate the LDAP query that the server executes. The injected query can redirect the LDAP lookup to an attacker-controlled LDAP server, enabling the attacker to control the authentication response [1].

Impact

Successful exploitation allows an unauthenticated attacker to bypass authentication entirely and gain administrative privileges on the Cardio Server. With administrator access, the attacker can view, modify, or delete patient information stored in the system, compromising the confidentiality, integrity, and availability of sensitive medical data [1].

Mitigation

Epiphany Healthcare has released patches for the affected Cardio Server versions 3.3, 4.0, and 4.1. Users are advised to apply the patches as soon as possible and consider upgrading to the latest supported version. Patches can be obtained by contacting Epiphany’s Vice President of Professional Services. No workaround is documented, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog [1].