A recent security assessment has identified a critical vulnerability in Siemens Healthineers’ syngo.plaza VB30E software. This vulnerability consists of an unauthenticated SQL injection flaw that could enable attackers to execute malicious SQL commands and compromise the database. In response, Siemens Healthineers has released Hotfix HF05 for syngo.plaza VB30E and strongly recommends that users upgrade to this latest version.
syngo.plaza is a Picture Archiving and Communication System intended to display, process, read, report, print communicate, distribute, store, and archive digital medical images, including mammographic images. It supports the physician in diagnosis and treatment planning.
Why is this vulnerability critical for the healthcare sector?
This could allow hackers to access patient databases, view or change confidential medical records and disrupt hospital systems. This is particularly problematic as hospitals rely on this data to treat their patients. If patient information is compromised or altered, it could influence medical decisions and delay important treatments.
SQL Injection Vulnerability
CVSS v3.1 Score
CVSS v4.0 Score
The affected application does not properly sanitize input data before sending it to the SQL server. This could allow an attacker with access to the application could use this vulnerability to execute malicious SQL commands to compromise the whole database.
In addition, Siemens Healthineers generelly recommends the following:
- Ensure you have appropriate backups and system restoration procedures.
- Securely delete any backup files that are no longer needed.
- For specific patch and remediation guidance information contact your local Siemens Healthineers Customer Service Engineer, portal or our Regional Support Center.
- Update to VB30E_HF05 or later version