Skip to main content

Callvision Emergency Code CVE-2025-0603

CRITICAL
SQL Injection (CWE-89)
2025-10-07 iletisim@usom.gov.tr
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 06, 2026 - 08:30 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Callvision Healthcare Callvision Emergency Code allows SQL Injection, Blind SQL Injection.

This issue affects Callvision Emergency Code: before V3.0.

AnalysisAI

SQL injection in Callvision Healthcare's Callvision Emergency Code product (versions prior to V3.0) allows remote unauthenticated attackers to manipulate backend database queries, including via blind SQLi techniques. The flaw carries a CVSS 9.8 critical rating with complete confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Reported through Turkey's national CERT (USOM), this vulnerability is particularly concerning given the healthcare-emergency context where the affected system likely processes sensitive patient or incident data.

Technical ContextAI

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), the canonical SQL injection weakness class where user-supplied input is concatenated into SQL statements without proper parameterization or escaping. Callvision Emergency Code is a healthcare-sector emergency notification/code-call system produced by Callvision Healthcare, typically deployed in hospital environments to coordinate emergency response (code blue, code red, etc.). The tag explicitly notes both standard SQLi and Blind SQLi exploitation paths, meaning even injection points without visible error output or direct data return can be exploited via time-based or boolean-based inference. No CPE strings were provided in the source data, limiting the ability to mechanically match deployments.

Affected ProductsAI

Callvision Healthcare Callvision Emergency Code, all versions prior to V3.0, is affected. No CPE strings were published for this CVE, so automated asset discovery against NVD-style inventories is not possible from the provided data. Vendor and national advisories are published by Turkey's USOM/CERT at https://www.usom.gov.tr/bildirim/tr-25-0320 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0320, which should be consulted for the precise product SKU and deployment guidance.

RemediationAI

Vendor-released patch: upgrade Callvision Emergency Code to V3.0 or later, which is identified by the advisory as the first non-vulnerable release. Operators should consult the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0320 and the corresponding siberguvenlik.gov.tr bulletin for vendor coordination details. If immediate upgrade is not feasible, compensating controls include placing the application behind a Web Application Filter or WAF with SQLi signatures tuned to the application's request patterns (trade-off: signature-based WAFs can be bypassed by blind/time-based payloads referenced in the tag, so this is a delay, not a fix), restricting network reachability of the management and data interfaces to a dedicated clinical VLAN with IP allowlisting (trade-off: may impact legitimate cross-site emergency notification flows), and enabling database-side query logging to detect anomalous statements (trade-off: detective, not preventive, and adds I/O overhead).

Share

CVE-2025-0603 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy