CVE-2025-67645
📋 TL;DR
OpenEMR versions before 7.0.4 have a broken access control vulnerability in the Profile Edit endpoint. Authenticated normal users can modify request parameters to reference other users' records, allowing them to alter other users' profile data including name and contact information, potentially enabling account takeover. This affects all OpenEMR installations running vulnerable versions.
💻 Affected Systems
- OpenEMR
📦 What is this software?
Openemr by Open Emr
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover where an attacker modifies another user's profile to change credentials or contact information, then uses password reset mechanisms to gain full control of the account.
Likely Case
Unauthorized modification of other users' profile data including name, email, phone number, and other personal information, potentially leading to data integrity issues and privacy violations.
If Mitigated
Limited impact with proper network segmentation, strong authentication controls, and regular monitoring of profile modification logs.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple - just modifying request parameters. The advisory includes technical details that could facilitate exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.0.4
Vendor Advisory: https://github.com/openemr/openemr/security/advisories/GHSA-vjmv-cf46-gffv
Restart Required: Yes
Instructions:
1. Backup your OpenEMR installation and database. 2. Download OpenEMR version 7.0.4 or later from the official repository. 3. Follow the OpenEMR upgrade documentation for your specific deployment method. 4. Apply the patch and restart the web server. 5. Verify the fix by testing profile edit functionality.
🔧 Temporary Workarounds
Web Application Firewall Rule
allImplement WAF rules to block requests with modified pubpid/pid parameters in profile edit endpoints
Access Control Enhancement
allImplement additional server-side validation to ensure users can only edit their own profiles
🧯 If You Can't Patch
- Implement strict network segmentation to isolate OpenEMR from untrusted networks
- Enable detailed logging of all profile modification attempts and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check if your OpenEMR version is below 7.0.4 by visiting the OpenEMR interface and checking the version in the footer or admin panel.Check Version:
Check the OpenEMR interface footer or run: grep -r '\$openemr_version' /path/to/openemr/installation/Verify Fix Applied:
After upgrading to 7.0.4 or later, test that authenticated users cannot modify other users' profiles by attempting to edit profile with modified pubpid/pid parameters.📡 Detection & Monitoring
Log Indicators:
- Multiple profile modification requests from single user account with different user IDs
- Profile edit requests where requesting user ID differs from target user ID
Network Indicators:
- HTTP POST requests to profile edit endpoints with modified pubpid or pid parameters
SIEM Query:
source="openemr_logs" AND (event="profile_edit" OR event="user_update") AND user_id != target_user_id