CVE-2025-27955 – Clinical Collaboration Platform 12.2.1.5 has a ... (How to Fix)

📋 TL;DR

Clinical Collaboration Platform 12.2.1.5 has a session token vulnerability where logout doesn't invalidate tokens, allowing attackers to hijack sessions. This enables unauthorized access to sensitive clinical data and potential remote code execution. Healthcare organizations using this specific version are affected.

💻 Affected Systems

Products:

Clinical Collaboration Platform

Versions: 12.2.1.5

Operating Systems: Not specified, likely multiple

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default logout implementation. Session tokens remain valid after logout.

📦 What is this software?

Clinical Collaboration Platform by Philips

View all CVEs affecting Clinical Collaboration Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via remote code execution leading to patient data exfiltration, system manipulation, or ransomware deployment.

🟠

Likely Case

Unauthorized access to sensitive clinical information and patient records through session hijacking.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring detecting token misuse attempts.

🌐 Internet-Facing: HIGH - Remote attackers can exploit this without authentication if system is internet-facing.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could still exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires obtaining a valid session token, which can be captured via various means including token leakage in URLs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Contact Carestream for patch availability
2. If patch exists, download from vendor portal
3. Apply patch following vendor instructions
4. Test in non-production environment first

🔧 Temporary Workarounds

Implement Session Invalidation

all

Force server-side session invalidation on logout

Requires code modification: Implement proper session destruction on logout endpoint

Network Segmentation

all

Restrict access to vulnerable system

firewall rules to limit access to trusted IPs only

🧯 If You Can't Patch

Implement web application firewall with session fixation protection
Enable detailed logging of session activities and monitor for anomalous token usage

🔍 How to Verify

Check if Vulnerable:

Test logout functionality: 1. Login to system 2. Capture session token 3. Logout 4. Attempt to use captured token to access protected resources

Check Version:

Check system version in admin panel or via vendor documentation

Verify Fix Applied:

After fix: 1. Login and capture token 2. Logout 3. Verify token no longer provides access to protected endpoints

📡 Detection & Monitoring

Log Indicators:

Multiple session tokens from same user
Session tokens used after logout events
Unusual access patterns with old tokens

Network Indicators:

Session tokens in URL parameters
Repeated authentication attempts with same token

SIEM Query:

source="clinical-platform" AND (event="logout" OR event="session_invalid") | stats count by user, session_id | where count > 1

📊 Metadata

CVE ID: CVE-2025-27955

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-1259

EPSS Score: 0.18% exploit probability (39th percentile)

Published: June 2, 2025

Last Updated: June 13, 2025

🔗 References

https://github.com/intruderlabs/cvex/tree/main/Carestream/session-token-in-url Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27955, you might also want to check these: