The Epiphany Cardio Server is vulnerable to SQL injection and LDAP injection, allowing an unauthenticated attacker to gain administrator rights.
Epiphany Cardio Server was reported as being vulnerable to the following issues:
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2015-6537
An attacker on the local network may be able to bypass authentication, and access and modify patient information.
Apply an update
Thanks to Alex Lauerman of TrustFoundry for reporting this vulnerability.
This document was written by Garret Wassermann.