CVE-2025-41004

Vulnerability

Overview CVE-2025-41004 is an SQL Injection vulnerability found in Imaster's Patient Records Management System. The flaw resides in the endpoint /projects/hospital/admin/complaints.php, where the id parameter is not properly sanitized before being used in a database query. This allows an authenticated attacker to inject arbitrary SQL commands, potentially extracting or modifying sensitive patient record data [1].

Exploitation

Details The attack is classified with a CVSS v4.0 base score of 8.7 (High), indicating a low attack complexity and a requirement for low-privilege authentication. The attacker does not need user interaction and can exploit the vulnerability over the network. The vulnerable parameter id is processed by the server without adequate validation, enabling classic SQL injection techniques such as union-based or blind injection [1].

Impact

Successful exploitation grants the attacker the ability to read, modify, or delete database contents with high impact to confidentiality, integrity, and availability. This could lead to exposure of protected health information (PHI), unauthorized changes to patient records, or denial of service through destructive queries. The vulnerability does not extend to adjacent networks or internal systems by itself [1].

Mitigation

Status As of the publication date (2026-01-12), INCIBE reports that no official solution or patch has been provided by Imaster. Users of the Patient Records Management System are advised to apply input validation or parameterized queries to the id parameter as a workaround, and to monitor vendor updates. The product is listed alongside other Imaster applications with unresolved vulnerabilities [1].