CVE-2025-10350
Received Received - Intake

SQL Injection in CGM NETRAAD Imageserver Allows Database Access

Vulnerability report for CVE-2025-10350, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-02

Last updated on: 2026-03-02

Assigner: CERT.PL

Description

SQL Injection vulnerability in "imageserver" module when processing C-FIND queries in CGM NETRAAD software allows attacker connected to PACS gaining access to database, including data processed by GCM CLININET software.This issue affects CGM NETRAAD with imageserver module in versions before 7.9.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-02
Last Modified
2026-03-02
Generated
2026-07-06
AI Q&A
2026-03-02
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
cgm netraad to 7.9.0 (exc)
cgm clininet *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability affects CGM NETRAAD software versions prior to 7.9.0. Immediate mitigation involves upgrading the CGM NETRAAD software to version 7.9.0 or later, where this SQL Injection vulnerability in the imageserver module processing C-FIND queries has been fixed.

Additionally, restricting network access to the PACS system to trusted users and monitoring for unusual database access attempts can help reduce risk until the upgrade is applied.

Executive Summary

The vulnerability is an SQL Injection issue in the imageserver module of CGM NETRAAD software when processing C-FIND queries. This flaw allows an attacker who is connected to the PACS network to gain unauthorized access to the underlying database, including data processed by the CGM CLININET software. It affects all versions of CGM NETRAAD prior to version 7.9.0.

Impact Analysis

This vulnerability can allow an attacker connected to the PACS network to access sensitive database information without authorization. Such unauthorized access could lead to exposure or theft of confidential medical data processed by CGM NETRAAD and CGM CLININET software, potentially compromising patient privacy and the integrity of healthcare data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10350. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart