CVE-2024-52335 (CVSS 9.8): Siemens Healthineers Addresses Critical Flaw in Medical Imaging Software
Siemens Healthineers has released a critical security update to address an unauthenticated SQL injection vulnerability in its syngo.plaza VB30E medical imaging software. The vulnerability, identified as CVE-2024-52335 and assigned a CVSS score of 9.8, could allow an attacker to execute malicious SQL commands and compromise the entire database.
“syngo.plaza VB30E contains unauthenticated SQL injection vulnerability that could allow an attacker to execute malicious SQL commands to compromise the database,” the advisory states.
syngo.plaza is a widely used Picture Archiving and Communication System (PACS) that provides physicians with tools for “display, process, read, report, print communicate, distribute, store, and archive digital medical images, including mammographic images.” The vulnerability stems from improper sanitization of input data before it is sent to the SQL server.
“This could allow an attacker with access to the application could use this vulnerability to execute malicious SQL commands to compromise the whole database,” warns the advisory.
To address this vulnerability, Siemens Healthineers has released a new hotfix (HF05) for syngo.plaza VB30E. The company strongly advises all users to update their systems to the latest version as soon as possible.
In addition to updating to the latest version, Siemens Healthineers recommends following general security best practices, such as maintaining appropriate backups and system restoration procedures, and securely deleting any unnecessary backup files.
