CVE-2025-8306
Unknown Unknown - Not Provided
Insecure Access Control in Asseco InfoMedica Exposes Passwords

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: CERT.PL

Description
Asseco InfoMedica is a comprehensive solution used to manage both administrative and medical tasks in the healthcare sector. A low privileged user is able to obtain encoded passwords of all other accounts (including main administrator) due to lack of granularity in access control.Β  Chained exploitation of this vulnerability andΒ CVE-2025-8307 allows an attacker to escalate privileges.Β This vulnerability has been fixed in versions 4.50.1 and 5.38.0
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-14
NVD
CVE-2025-8306
EUVD
EUVD-2026-1574
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
asseco infomedica_plus From 4.0.0 (inc) to 4.50.1 (inc)
asseco infomedica_plus From 5.0.0 (inc) to 5.38.0 (inc)
asseco infomedica_plus 4.50.1
asseco infomedica_plus 5.38.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1220 The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Asseco InfoMedica Plus allows a low-privileged user to obtain encoded passwords of all other accounts, including the main administrator, due to insufficient granularity in access control. The encoded passwords can be decoded using an algorithm embedded in the client-side software. This flaw enables unauthorized access to sensitive credential information. Exploiting this vulnerability together with CVE-2025-8307 can lead to privilege escalation. [1]

Impact Analysis

The vulnerability can allow a low-privileged user to access encoded passwords of other users, including administrators, which can lead to unauthorized access to sensitive accounts. When combined with a related vulnerability (CVE-2025-8307), it can enable attackers to escalate their privileges, potentially compromising the entire system and exposing sensitive administrative and medical data. [1]

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Asseco InfoMedica Plus software to version 4.50.1 or 5.38.0 or later, as these versions contain the fix for this vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8306. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart