CVE-2026-24848

CriticalPublic PoC

Published: 03 March 2026

Published

03 March 2026

Modified

04 March 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0012 30.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

OpenEMR is a free and open source electronic health records and medical practice management application. In 7.0.4 and earlier, the disposeDocument() method in EtherFaxActions.php allows authenticated users to write arbitrary content to arbitrary locations on the server filesystem. This vulnerability…

can be exploited to achieve Remote Code Execution (RCE) by uploading malicious PHP web shells.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of the path traversal flaw in disposeDocument(), preventing exploitation for arbitrary file writes and RCE.

SI-10 Information Input Validation good match

prevent

Mandates validation of user inputs to the disposeDocument() method, blocking path traversal payloads that enable writing to arbitrary filesystem locations.

AC-3 Access Enforcement good match

prevent

Enforces logical access controls to restrict authenticated users from writing files to unauthorized server locations, directly countering the vulnerability's core mechanism.

Security SummaryAI

CVE-2026-24848 is a critical vulnerability in OpenEMR, a free and open source electronic health records and medical practice management application. It affects versions 7.0.4 and earlier, specifically in the disposeDocument() method of the EtherFaxActions.php component. This flaw enables authenticated users to write arbitrary content to arbitrary locations on the server filesystem, stemming from CWE-22 (Path Traversal). The issue carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for widespread impact.

An attacker with authenticated access at low privilege levels (PR:L) can exploit this vulnerability remotely (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Successful exploitation allows writing files to sensitive server locations, enabling the upload of malicious PHP web shells. This leads to remote code execution (RCE), with a changed scope (S:C) resulting in high impacts on confidentiality, integrity, and availability.

Mitigation details are available in the GitHub Security Advisory at https://github.com/openemr/openemr/security/advisories/GHSA-5vp5-4rm6-h4c9, published on 2026-03-03. Security practitioners should consult this advisory for patching instructions and remediation steps specific to affected OpenEMR deployments.

Details

CWE(s): CWE-22

Affected Products

open-emr

openemr

≤ 7.0.4

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of a public-facing web application (T1190) via path traversal, allowing authenticated users to write arbitrary files including PHP web shells for RCE (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/openemr/openemr/security/advisories/GHSA-5vp5-4rm6-h4c9
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com