Skip to main content
Advisories

SQL Injection in Siemens Healthineers syngo.plaza VB30E Software Uncovered (CVE-2024-52335)

By 16. January 2025No Comments

A recent security assessment has identified a critical vulnerability in Siemens Healthineers’ syngo.plaza VB30E software. This vulnerability consists of an unauthenticated SQL injection flaw that could enable attackers to execute malicious SQL commands and compromise the database. In response, Siemens Healthineers has released Hotfix HF05 for syngo.plaza VB30E and strongly recommends that users upgrade to this latest version.

syngo.plaza is a Picture Archiving and Communication System intended to display, process, read, report, print communicate, distribute, store, and archive digital medical images, including mammographic images. It supports the physician in diagnosis and treatment planning.

Why is this vulnerability critical for the healthcare sector?

This could allow hackers to access patient databases, view or change confidential medical records and disrupt hospital systems. This is particularly problematic as hospitals rely on this data to treat their patients. If patient information is compromised or altered, it could influence medical decisions and delay important treatments.

SQL Injection Vulnerability

CVSS v3.1 Score

CVSS v4.0 Score

Product:

syngo.plaza VB30E

Affected Version:

All versions < VB30E_HF05

CVE / Vendor ID:

CVE-2024-52335

Found by

Felix Eberstaller & Bernhard Lorenz

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

The affected application does not properly sanitize input data before sending it to the SQL server. This could allow an attacker with access to the application could use this vulnerability to execute malicious SQL commands to compromise the whole database.

Your security is our mission. Let’s defend what matters!