CVE-2025-30042 PUBLISHED

Session generation possible with certificate number only

Assigner: CERT-PL
Reserved: 14.03.2025 Published: 02.03.2026 Updated: 02.03.2026

The CGM CLININET system provides smart card authentication; however, authentication is conducted locally on the client device, and, in reality, only the certificate number is used for access verification. As a result, possession of the certificate number alone is sufficient for authentication, regardless of the actual presence of the smart card or ownership of the private key.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 9

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Adjacent	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	Present	Availability	High	Availability	High
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	CGM
Product	CGM CLININET
Versions	Default: unaffected affected from 0 to 2025.MS2 (excl.)

CVE-2025-30042 PUBLISHED

Session generation possible with certificate number only

Metrics

Product Status

Credits

References

Problem Types