CVE-2025-9313 CRITICAL

CVE-2025-9313: Unauthorized database access in Asseco mMedica

Vendor Asseco Poland S.a.
Product mMedica
Weakness CWE-288
Published October 28, 2025
Last update October 28, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An unauthenticated user can connect to a publicly accessible database using arbitrary credentials. The system grants full access to the database by leveraging a previously authenticated connection through a "mmBackup" application. This flaw allows attackers to bypass authentication mechanisms and gain unauthorized access to database with sensitive data. This issue affects Asseco mMedica in versions before 11.9.5.

Key dates

02Disclosure timeline

October 28, 2025 CVE published
October 28, 2025 Record updated