CVE-2025-29789
Published: 25 March 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-29789 is a directory traversal vulnerability (CWE-22, CWE-23) in the Load Code feature of OpenEMR, a free and open source electronic health records and medical practice management application. Versions prior to 7.3.0 are affected, as disclosed on 2025-03-25 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Unauthenticated attackers with network access can exploit this vulnerability through low-complexity attacks requiring no user interaction. Successful exploitation enables high-impact confidentiality violations, such as unauthorized access to sensitive files on the server, without affecting integrity or availability.
OpenEMR version 7.3.0 addresses the issue with a patch. Security practitioners should consult the GitHub security advisory at https://github.com/openemr/openemr/security/advisories/GHSA-ffpq-2wqj-v8ff and the fixing commit at https://github.com/openemr/openemr/commit/ef3bb7f84ebe8ef54d55416e587ec2fefd065489 for implementation details and upgrade guidance.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Directory traversal in a network-accessible web app (OpenEMR) directly enables unauthenticated exploitation of public-facing applications (T1190) and unauthorized reading of arbitrary local system files (T1005).