CVE-2025-10350

Received Received - Intake

SQL Injection in CGM NETRAAD Imageserver Allows Database Access

Publication date: 2026-03-02

Last updated on: 2026-03-02

Assigner: CERT.PL

Description

SQL Injection vulnerability in "imageserver" module when processing C-FIND queries in CGM NETRAAD software allows attacker connected to PACS gaining access to database, including data processed by GCM CLININET software.This issue affects CGM NETRAAD with imageserver module in versions before 7.9.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-02

Last Modified

2026-03-02

Generated

2026-06-16

AI Q&A

2026-03-02

EPSS Evaluated

2026-06-14

NVD

CVE-2025-10350

EUVD

EUVD-2025-208145

Affected Vendors & Products

Vendor	Product	Version / Range
cgm	netraad	to 7.9.0 (exc)
cgm	clininet	*

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

The vulnerability is an SQL Injection issue in the imageserver module of CGM NETRAAD software when processing C-FIND queries. This flaw allows an attacker who is connected to the PACS network to gain unauthorized access to the underlying database, including data processed by the CGM CLININET software. It affects all versions of CGM NETRAAD prior to version 7.9.0.

Impact Analysis

This vulnerability can allow an attacker connected to the PACS network to access sensitive database information without authorization. Such unauthorized access could lead to exposure or theft of confidential medical data processed by CGM NETRAAD and CGM CLININET software, potentially compromising patient privacy and the integrity of healthcare data.

Mitigation Strategies

The vulnerability affects CGM NETRAAD software versions prior to 7.9.0. Immediate mitigation involves upgrading the CGM NETRAAD software to version 7.9.0 or later, where this SQL Injection vulnerability in the imageserver module processing C-FIND queries has been fixed.

Additionally, restricting network access to the PACS system to trusted users and monitoring for unusual database access attempts can help reduce risk until the upgrade is applied.

Compliance Impact

I don't know

Detection Guidance

I don't know

Hi! I’m here to help you understand CVE-2025-10350. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2025-10350

SQL Injection in CGM NETRAAD Imageserver Allows Database Access

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart