CVE-2025-30035 PUBLISHED

Lack of API authentication allowing session generation for any user

Assigner: CERT-PL
Reserved: 14.03.2025 Published: 02.03.2026 Updated: 02.03.2026

The vulnerability enables an attacker to fully bypass authentication in CGM CLININET and gain access to any active user account by supplying only the username, without requiring a password or any other credentials. Obtaining a session ID is sufficient for session takeover and grants access to the system with the privileges of the targeted user.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 9

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Adjacent	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	Present	Availability	High	Availability	High
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	CGM
Product	CGM CLININET
Versions	Default: unaffected affected from 0 to 2025.MS4 (excl.)

CVE-2025-30035 PUBLISHED

Lack of API authentication allowing session generation for any user

Metrics

Product Status

Credits

References

Problem Types