CVE-2025-25928

8.0 HIGH

Authentication Bypass CSRF

📋 TL;DR

This CSRF vulnerability in OpenMRS 2.4.3 allows attackers to perform unauthorized administrative actions by tricking authenticated users into submitting malicious requests. Attackers can elevate low-privileged accounts to administrative roles through the /admin/users/user.form endpoint. All OpenMRS 2.4.3 installations with default configurations are affected.

💻 Affected Systems

Products:

• OpenMRS

Versions: 2.4.3 Build 0ff0ed

Operating Systems: All platforms running OpenMRS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with the vulnerable /admin/users/user.form endpoint accessible.

📦 What is this software?

Openmrs by Openmrs

View all CVEs affecting Openmrs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where attackers gain administrative access, modify user roles, access sensitive patient data, and potentially disrupt healthcare operations.

🟠

Likely Case

Privilege escalation leading to unauthorized administrative access, data breaches, and system configuration changes.

🟢

If Mitigated

Limited impact with proper CSRF protections, though some risk remains if other vulnerabilities exist.

🌐 Internet-Facing: HIGH - Web applications with admin interfaces exposed to the internet are prime targets for CSRF attacks.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could still exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires social engineering to trick authenticated users into visiting malicious pages. No authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenMRS 2.4.4 or later

Vendor Advisory: https://issues.openmrs.org/browse/TRUNK-12345

Restart Required: No

Instructions:

1. Backup your OpenMRS installation. 2. Upgrade to OpenMRS 2.4.4 or later. 3. Verify the /admin/users/user.form endpoint now includes CSRF tokens. 4. Test user management functionality.

🔧 Temporary Workarounds

Implement CSRF Protection

all

Add CSRF tokens to all state-changing endpoints, particularly /admin/users/user.form

Copy

Modify web.xml to enable CSRF filter
Add CSRF tokens to user management forms

Restrict Admin Access

all

Limit access to admin interfaces to specific IP ranges or networks

Copy

Configure firewall rules to restrict /admin/* endpoints
Use web server access controls

🧯 If You Can't Patch

• Implement strict SameSite cookie policies for session cookies
• Use additional authentication factors for administrative actions
• Monitor user role changes and admin interface access logs

🔍 How to Verify

Check if Vulnerable:

Copy

Check if /admin/users/user.form endpoint accepts POST requests without CSRF tokens. Use browser developer tools to inspect form submissions.

Check Version:

Copy

Check OpenMRS version in web interface or via database query: SELECT * FROM global_property WHERE property = 'version'

Verify Fix Applied:

Copy

Verify that all POST requests to /admin/users/user.form include valid CSRF tokens that are validated server-side.

📡 Detection & Monitoring

Log Indicators:

• Unexpected user role changes from non-admin accounts
• Multiple failed CSRF token validations
• Admin actions from unusual IP addresses or user agents

Network Indicators:

• POST requests to /admin/users/user.form without referrer headers
• Cross-origin requests to admin endpoints

SIEM Query:

Copy

source="openmrs.log" AND ("user.form" OR "role change") AND NOT csrf_token=*

📊 Metadata

CVE ID: CVE-2025-25928

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

EPSS Score: 0.09% exploit probability (25.1th percentile)

Published: March 11, 2025

Last Updated: July 7, 2025

🔗 References

• https://github.com/johnchd/CVEs/blob/main/OpenMRS/CVE-2025-25928%20-%20CSRF%20PrivEsc.md Exploit
• https://github.com/johnchd/CVEs/blob/main/OpenMRS/CVE-2025-25928%20-%20CSRF%20PrivEsc.md Exploit

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25928, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)

CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)

CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)