CVE-2025-10350

Root

Cause The CGM NETRAAD software, a PACS and RIS system for medical imaging, contains an SQL injection vulnerability in its imageserver module when processing DICOM C-FIND queries. The software fails to properly neutralize special elements used in SQL commands, allowing an attacker to inject arbitrary SQL statements [1]. This vulnerability affects all versions before 7.9.0 [1].

Exploitation

An attacker must be connected to the PACS network as an authenticated user to exploit this flaw. By crafting a malicious C-FIND query with embedded SQL code, the attacker can manipulate database queries processed by the imageserver module [1]. The vulnerability does not require prior local access, but does require network-level authentication to the PACS service.

Impact

Successful exploitation grants the attacker read access to the underlying database. This includes exposure of patient data and other information processed by the related CGM CLININET software, which may include sensitive medical records. The attacker could also potentially extract or alter data, depending on database permissions [1].

Mitigation

The vendor has addressed this issue in version 7.9.0 of CGM NETRAAD. Users are advised to upgrade to this version or later to remediate the vulnerability. No other workarounds have been publicly documented [1].