Callvision Emergency Code CVE-2025-0603
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Callvision Healthcare Callvision Emergency Code allows SQL Injection, Blind SQL Injection.
This issue affects Callvision Emergency Code: before V3.0.
AnalysisAI
SQL injection in Callvision Healthcare's Callvision Emergency Code product (versions prior to V3.0) allows remote unauthenticated attackers to manipulate backend database queries, including via blind SQLi techniques. The flaw carries a CVSS 9.8 critical rating with complete confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Reported through Turkey's national CERT (USOM), this vulnerability is particularly concerning given the healthcare-emergency context where the affected system likely processes sensitive patient or incident data.
Technical ContextAI
The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), the canonical SQL injection weakness class where user-supplied input is concatenated into SQL statements without proper parameterization or escaping. Callvision Emergency Code is a healthcare-sector emergency notification/code-call system produced by Callvision Healthcare, typically deployed in hospital environments to coordinate emergency response (code blue, code red, etc.). The tag explicitly notes both standard SQLi and Blind SQLi exploitation paths, meaning even injection points without visible error output or direct data return can be exploited via time-based or boolean-based inference. No CPE strings were provided in the source data, limiting the ability to mechanically match deployments.
Affected ProductsAI
Callvision Healthcare Callvision Emergency Code, all versions prior to V3.0, is affected. No CPE strings were published for this CVE, so automated asset discovery against NVD-style inventories is not possible from the provided data. Vendor and national advisories are published by Turkey's USOM/CERT at https://www.usom.gov.tr/bildirim/tr-25-0320 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0320, which should be consulted for the precise product SKU and deployment guidance.
RemediationAI
Vendor-released patch: upgrade Callvision Emergency Code to V3.0 or later, which is identified by the advisory as the first non-vulnerable release. Operators should consult the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0320 and the corresponding siberguvenlik.gov.tr bulletin for vendor coordination details. If immediate upgrade is not feasible, compensating controls include placing the application behind a Web Application Filter or WAF with SQLi signatures tuned to the application's request patterns (trade-off: signature-based WAFs can be bypassed by blind/time-based payloads referenced in the tag, so this is a delay, not a fix), restricting network reachability of the management and data interfaces to a dedicated clinical VLAN with IP allowlisting (trade-off: may impact legitimate cross-site emergency notification flows), and enabling database-side query logging to detect anomalous statements (trade-off: detective, not preventive, and adds I/O overhead).
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today