CVE-2025-4596
Unknown Unknown - Not Provided
Insecure Direct Object Reference in Asseco ADMX Enables Unauthorized Medical Record Access

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: CERT.PL

Description
Asseco ADMX system is used for processing medical records. It allows logged in users to access medical files belonging to other users through manipulation of GET arguments containing document IDs. This issue has been fixed in 6.09.01.62 version of ADMX.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-14
NVD
CVE-2025-4596
EUVD
EUVD-2026-1564
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
asseco admx 6.09.01.62
asseco amdx to 6.09.01.62 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-4596 is an authorization bypass vulnerability in the Asseco AMDX hospital information system. It allows logged-in users, specifically authenticated patients, to access medical records of other patients by manipulating GET request parameters that contain document IDs. This means users can view sensitive medical data that they are not authorized to see. [1]

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive medical records, compromising patient privacy and confidentiality. It may result in exposure of personal health information to unauthorized individuals, potentially causing harm to patients and legal consequences for the organization managing the data. [1]

Detection Guidance

This vulnerability can be detected by monitoring HTTP GET requests to the Asseco AMDX system for unusual manipulation of document ID parameters that allow access to other users' medical files. Specifically, look for authenticated user requests where the document ID in the GET arguments does not belong to the requesting user. Commands to detect this might include using network traffic analysis tools like tcpdump or Wireshark to capture HTTP GET requests, or using web server logs to search for suspicious parameter values. For example, using grep on web server logs: grep 'GET .*document_id=' /path/to/access.log to identify requests with document ID parameters. Further analysis would be needed to correlate document IDs with user sessions to detect unauthorized access attempts. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the Asseco AMDX system to version 6.09.01.62 or later, where this authorization bypass vulnerability has been fixed. Until the upgrade is applied, restrict access to the system to trusted users only, monitor access logs for suspicious activity, and consider implementing additional access controls or network-level restrictions to limit exploitation. [1]

Compliance Impact

This vulnerability allows unauthorized access to sensitive medical data by authenticated users manipulating document IDs, which can lead to breaches of patient confidentiality and data protection requirements. Such unauthorized disclosure of personal health information likely violates compliance with standards like GDPR and HIPAA that mandate strict controls on access to personal and medical data. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-4596. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart