E Clinic Healthcare System Echs
Monthly
Information disclosure in PicoTronica e-Clinic Healthcare System ECHS 5.7 allows remote unauthenticated attackers to extract sensitive data via the Response Header Handler in the /cdemos/echs/api/v2/ endpoint. The vulnerability has been publicly disclosed with exploit code available, and a patch (version 5.7.1) has been released by the vendor.
Hard-coded administrative credentials in PicoTronica e-Clinic Healthcare System ECHS 5.7 enable remote attackers to bypass authentication and gain privileged access to the healthcare management platform. The vulnerability resides in the /cdemos/echs/priv/echs.js file where the ADMIN_KEY parameter contains static credentials, allowing network-level exploitation without authentication (AV:N/PR:N). Public exploit documentation exists, though CISA KEV does not list active exploitation. EPSS data unavailable, but the combination of healthcare sector targeting, authentication bypass capability, and public POC elevates real-world risk despite moderate CVSS 7.3 scoring.
Missing authentication in PicoTronica e-Clinic Healthcare System ECHS 5.7 allows remote unauthenticated attackers to access the /cdemos/echs/api/v2/patient-records API endpoint and retrieve sensitive patient information. Publicly available exploit code exists for this vulnerability. The vendor released patched version 5.7.1 to address the issue.
Information disclosure in PicoTronica e-Clinic Healthcare System ECHS 5.7 allows remote unauthenticated attackers to extract sensitive data via the Response Header Handler in the /cdemos/echs/api/v2/ endpoint. The vulnerability has been publicly disclosed with exploit code available, and a patch (version 5.7.1) has been released by the vendor.
Hard-coded administrative credentials in PicoTronica e-Clinic Healthcare System ECHS 5.7 enable remote attackers to bypass authentication and gain privileged access to the healthcare management platform. The vulnerability resides in the /cdemos/echs/priv/echs.js file where the ADMIN_KEY parameter contains static credentials, allowing network-level exploitation without authentication (AV:N/PR:N). Public exploit documentation exists, though CISA KEV does not list active exploitation. EPSS data unavailable, but the combination of healthcare sector targeting, authentication bypass capability, and public POC elevates real-world risk despite moderate CVSS 7.3 scoring.
Missing authentication in PicoTronica e-Clinic Healthcare System ECHS 5.7 allows remote unauthenticated attackers to access the /cdemos/echs/api/v2/patient-records API endpoint and retrieve sensitive patient information. Publicly available exploit code exists for this vulnerability. The vendor released patched version 5.7.1 to address the issue.