Full Report
CERT Polska has received a report about 3 vulnerabilities (from CVE-2026-40550 to CVE-2026-40552) found in mpGabinet software.
Analysis Summary
# Vulnerability: Multiple Flaws in BinSoft mpGabinet resulting in RCE
## CVE Details
- **CVE ID:** CVE-2026-40550, CVE-2026-40551, CVE-2026-40552
- **CVSS Score:** Not explicitly provided in source (Estimated High/Critical due to RCE chain)
- **CWE:**
- CWE-250 (Execution with Unnecessary Privileges)
- CWE-603 (Use of Client-Side Authentication)
- CWE-669 (Incorrect Resource Transfer Between Spheres)
## Affected Systems
- **Products:** BinSoft mpGabinet (Medical practice management software)
- **Versions:** All versions through 23.12.19
- **Configurations:** Systems where the application is connected to a backend database server.
## Vulnerability Description
Three distinct vulnerabilities permit a full compromise of the host system:
1. **CVE-2026-40550 (Privilege Escalation):** The application uses database credentials with excessive (administrative) privileges. These credentials can be extracted from the application process memory by any user with access to an active instance.
2. **CVE-2026-40551 (Authentication Bypass):** The software relies on client-side authentication. An attacker can modify the application binary to bypass login checks and impersonate any user.
3. **CVE-2026-40552 (Remote Command Execution):** Any authorized user with direct database access (attainable via the above CVEs) can modify attachment storage paths. By changing a file path to a remote network resource, the attacker forces the system to execute malicious code when a user attempts to open the manipulated attachment.
## Exploitation
- **Status:** Vulnerabilities reported and disclosed; PoC methodology described.
- **Complexity:** Medium (Requires memory inspection and binary manipulation).
- **Attack Vector:** Network (Access to the application instance/backend server).
## Impact
- **Confidentiality:** High (Full access to the backend database and arbitrary user accounts).
- **Integrity:** High (Ability to modify database records and system files via RCE).
- **Availability:** High (Potential for full system takeover and command execution).
## Remediation
### Patches
- Users should contact BinSoft to confirm the availability of a version higher than **23.12.19** that addresses these architectural flaws.
### Workarounds
- **Network Segmentation:** Use strict firewall rules to ensure only trusted application instances can communicate with the backend database.
- **Principle of Least Privilege:** Manually downgrade the database user privileges to the minimum required for standard application operations (though this may impact functionality).
- **Endpoint Security:** Implement robust EDR/AV solutions to detect suspicious binary modifications or the execution of unauthorized remote network resources.
## Detection
- **Indicators of Compromise:**
- Unauthorized administrative connections to the backend database from client IP addresses.
- Unexpected binary hash changes for the `mpGabinet` executable.
- Attachment metadata in the database pointing to external SMB/UNC paths or remote IP addresses.
- **Detection Methods:** Monitor database logs for schema modifications or abnormal table access outside the typical application UI workflow.
## References
- CERT Polska Advisory: [https://cert.pl/en/posts/2026/04/cve-2026-40550-40552/](https://cert.pl/en/posts/2026/04/cve-2026-40550-40552/)
- CVE-2026-40550: [https://www.cve.org/CVERecord?id=CVE-2026-40550](https://www.cve.org/CVERecord?id=CVE-2026-40550)
- CVE-2026-40551: [https://www.cve.org/CVERecord?id=CVE-2026-40551](https://www.cve.org/CVERecord?id=CVE-2026-40551)
- CVE-2026-40552: [https://www.cve.org/CVERecord?id=CVE-2026-40552](https://www.cve.org/CVERecord?id=CVE-2026-40552)