CVE-2025-30039

9.0

Critical

Published:27 Aug 2025

Last updated:17 Jun 2026

Source:cvd@cert.pl

Deferred

Weakness (CWE)

CWE-306Missing Authentication for Critical Function

CVSS Vector

v4.0

Attack Vector: Adjacent
Attack Complexity: Low
Attack Requirements: Present
Privileges Required: None
User Interaction: None
Confidentiality (Vulnerable): High
Integrity (Vulnerable): High
Availability (Vulnerable): High
Confidentiality (Subsequent): High
Integrity (Subsequent): High
Availability (Subsequent): High

View on MITRE Find PoC on GitHub

Description

Unauthenticated access to the "/cgi-bin/CliniNET.prd/GetActiveSessions.pl" endpoint allows takeover of any user session logged into the system, including users with admin privileges.

References

cvd@cert.pl

https://cert.pl/en/posts/2025/08/CVE-2025-2313/